WSO2 Identity Server 5.0.0 is vulnerable to XML External Entity (XEE) attack in the federated SAML2 SSO authentication flow which can be carried out by modifying the SAMLRequest or SAMLResponse parameters
Severity: CRITICAL - Patch Immediately.
None of the Identity Server releases done prior to IS 5.0.0 or any other WSO2 products are vulnerable.
This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Apply the following patches. Follow the instructions in the README file under the patch.
Make sure to apply IS 5.0.0 Service Pack 1 (WSO2-IS-5.0.0-SP01) before applying this security patch.
WSO2 thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.