It was brought to our attention that the spring-security-saml sample application contained an XML External Entity (XXE) vulnerability. This meant that a malicious user could view any file that the Spring Application’s process had access to.

The issue was a direct result of OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks. The default behavior of the ParserPool implementations is fixed in OpenSAML 2.6.1+ (which Spring Security SAML uses). However, the vulnerability is still possible if users construct their own ParserPool without the proper settings.

Note

We did not consider this a CVE because the exploit was only found in the sample application which is not considered production code. However, we expect that our users may have copied this code to create their own applications. For this reason, we wanted to be transparent and communicate the issue and the fix.

The Fix

The sample application has been fixed in 925c892 by removing the customizations to the ParserPool.

Users should ensure that any applications using OpenSAML have been fixed according to the Recommendations section within the OpenSAML Security Advisory. Commit 925c892 can be used as a model of one way of conforming to the Recommendations section.

Additional Information

• OWASP XXE Prevention Cheat Sheet

• OpenSAML Security Advisory

Credit

This issue was responsibly disclosed by Max Justicz and Nick Freeman of Bishop Fox (https://www.bishopfox.com).