Dear CA Customer:
The purpose of this Critical Alert is to inform you of our status update regarding the Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.
PRODUCT(S) AFFECTED: CA API Gateway RELEASES: all
PROBLEM DESCRIPTION:
CVE-2017-11427 - OneLogin’s "python-saml", CVE-2017-11428 - OneLogin’s "ruby-saml", CVE-2017-11429 - Clever’s "saml2-js", CVE-2017-11430 - "OmniAuth-SAML", CVE-2018-0489 - Shibboleth openSAML C++ have been recently identified in industry-wide "Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.."
Ref: Vulnerability Note VU#475445 - Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalizatio…
SYMPTOMS:
"By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for an affected SAML service provider."
Ref: Vulnerability Note VU#475445 - Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalizatio…
IMPACT:
No specific impact to this product set, but please read on.
WORKAROUND:
There is currently no known workaround for this issue.
PROBLEM RESOLUTION:
CA API Gateway does not use the affected libraries so no action is required.
If you have any questions about this Critical Alert, please contact CA Support.
Thank you,
CA Support Team