CVE-2022-34169
Guillaume Rousse
guillaume.rousse at renater.fr
Mon Nov 7 12:45:00 UTC 2022
Hello.
My apologies if this has already been discussed, but I couldn't find any
trace on this list archive. According to google project zero, it's quite
simple to execute arbitrary commands via a malicious XML signature in
SAML request, for an IdP running a vulnerable OpenJDK version:
https://bugs.chromium.org/p/project-zero/issues/detail?id=2290
A full presentation is available here:
https://www.youtube.com/watch?v=WHn-6xHL7mI
The exploit uses an XSLT transformation during signature validation, and
takes advantage of the presence of Xalan-J shipped with OpenJDK for
loading a forged serialized Java class. Fixes have been published for
OpenJDK, but it takes some time to percolate in distributions, depending
on exact distribution model.
From the content of WEB-INF/lib directory of the webapp, Shibboleth IdP
relies on xmlsec-2.3.0 for signature validation. I have no clue if this
component, as used in Shibboleth IdP, allows such kind of
transformation, making it potentially vulnerable. And the only
configuration switch I found so far was the ignoreRequestSignatures flag
in SAML 2 profile configuration:
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631684/ProfileConfiguration-SAML2
So, should we panic :) ?
Regards.
--
Guillaume Rousse
Direction des Services Applicatifs
RENATER - Paris
Tel: +33 1 53 94 20 45
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2257 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20221107/6c5deef3/attachment.p7s>
More information about the users
mailing list