Cantor, Scott cantor.2 at
Mon Nov 7 13:30:05 UTC 2022

SAML does not allow those sorts of arbitrary transforms by specification, and it's been many years since any of our code was vulnerable to any attacks like that, they all got addressed very early on (I think long before the other wrapping attacks became prevalent and that was over 10 years ago.

More to the point, the "fix" for this is not in the JDK. If any SAML libraries were still vulnerable to this, they're still vulnerable to other attacks, if not that exact one.

I cannot say for certain whether xmlsectool can verify non-SAML signatures. It could in theory be vulnerable to this sort of thing out of simple generality. It's more of a signing tool than a verifier.

-- Scott

More information about the users mailing list