Guillaume Rousse guillaume.rousse at
Mon Nov 7 12:45:00 UTC 2022


My apologies if this has already been discussed, but I couldn't find any 
trace on this list archive. According to google project zero, it's quite 
simple to execute arbitrary commands via a malicious XML signature in 
SAML request, for an IdP running a vulnerable OpenJDK version:

A full presentation is available here:

The exploit uses an XSLT transformation during signature validation, and 
takes advantage of the presence of Xalan-J shipped with OpenJDK for 
loading a forged serialized Java class. Fixes have been published for 
OpenJDK, but it takes some time to percolate in distributions, depending 
on exact distribution model.

 From the content of WEB-INF/lib directory of the webapp, Shibboleth IdP 
relies on xmlsec-2.3.0 for signature validation. I have no clue if this 
component, as used in Shibboleth IdP, allows such kind of 
transformation, making it potentially vulnerable. And the only 
configuration switch I found so far was the ignoreRequestSignatures flag 
in SAML 2 profile configuration:

So, should we panic :) ?

Guillaume Rousse
Direction des Services Applicatifs
Tel: +33 1 53 94 20 45
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2257 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list