This week, the software world found out that SAML Vulnerabilities Affecting Multiple Implementations were discovered. If you use Spring Security SAML’s defaults, you are not impacted by this vulnerability.

The underlying implementation that Spring Security SAML uses is Shibboleth’s OpenSAML Java library. The OpenSAML Java implementation was not listed in the libraries that contain the vulnerability (Shibboleth openSAML C++ was vulnerable). However, if the ParserPool has been customized, you may be impacted.

NOT Safe Configurations

Specifically, if the application explicitly sets the BasicParserPool or the StaticBasicParserPool to have ignoreComments = false, it is vulnerable to the exploit. For example, the following configurations are vulnerable:

Unsafe Java Configuration with StaticBasicParserPool

// NOT secure!!!
@Bean(initMethod = "initialize")
ParserPool parserPool() {
    StaticBasicParserPool pool = new StaticBasicParserPool();
    // DO NOT set ignoreComments = false opens up exploit
    pool.setIgnoreComments(false);
    return pool;
}

Unsafe Java Configuration with BasicParserPool

// NOT secure!!!
@Bean
ParserPool parserPool() {
    BasicParserPool pool = new BasicParserPool();
    // DO NOT set ignoreComments = false opens up exploit
    pool.setIgnoreComments(false);
    return pool;
}

Unsafe XML Configuration with StaticBasicParserPool

<!-- NOT secure!!! -->
<bean id="parserPool" init-method="initialize"
           class="org.opensaml.xml.parse.StaticBasicParserPool">
    <!-- DO NOT set ignoreComments = false opens up exploit -->
    <property name="ignoreComments" value="false"/>
</bean>

Unsafe XML Configuration with BasicParserPool

<!-- NOT secure!!! -->
<bean id="parserPool" class="org.opensaml.xml.parse.BasicParserPool">
    <!-- DO NOT set ignoreComments = false opens up exploit -->
    <property name="ignoreComments" value="false"/>
</bean>

Safe Configurations

The following configurations are safe:

Safe Java Configuration with StaticBasicParserPool

@Bean(initMethod = "initialize")
ParserPool parserPool() {
    StaticBasicParserPool pool = new StaticBasicParserPool();
    // ignoreComments default is true (safe)
    return pool;
}

Safe Java Configuration with BasicParserPool

@Bean(initMethod = "initialize")
ParserPool parserPool() {
    BasicParserPool pool = new BasicParserPool();
    // ignoreComments default is true (safe)
    return pool;
}

Safe XML Configuration with StaticBasicParserPool

<bean id="parserPool" class="org.opensaml.xml.parse.StaticBasicParserPool">
    <!-- ignoreComments default is true (safe) -->
</bean>

Safe XML Configuration with BasicParserPool

<bean id="parserPool" init-method="initialize"
           class="org.opensaml.xml.parse.BasicParserPool">
    <!-- ignoreComments default is true (safe) -->
</bean>

Unsafe PaserPool Configurations

Now is probably a good time to review additional unsafe configurations. Specifically, the following ParserPool properties are UNSAFE:

• It is UNSAFE to set expandEntityReferences to true.

• It is UNSAFE to set javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING to false.

• It is UNSAFE to set [http://apache.org/xml/features/disallow-doctype-dec](http://apache.org/xml/features/disallow-doctype-dec) to false. This is a Xerces-specific feature, including derivatives such as the internal JAXP implementations supplied with the Oracle and OpenJDK JREs. For other JAXP implementations, read the documentation for your particular implementation for how to achieve a similar configuration.

• It is UNSAFE to set ignoreComments to false (as discussed in this article)