Skip to main content
ExLibris

Knowledge Assistant

BETA
 
  • Subscribe by RSS
  • Back
    Cross-Product

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      1. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. Cross-Product
    3. Security
    4. Advisories
    5. Security Advisory- SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018

    Security Advisory- SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    1. Subject: SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018
      1. Overview
      2. Description
      3. Reference
      4. Additional references
      5. Effective Security Severity Level:
      6. Affected Systems:
      7. Tests and Certifications:
      8. Actions Taken for Ex Libris Hosted solution:
      9. Required Actions for on-Premise/Local Systems:

    Subject: SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018

    Overview

    Ex Libris has been made aware of a recently discovered vulnerability (CVE-2018-0489) that affects SAML Single Sign On implementations and is rated as “High”. 

    An attacker may potentially able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

    Description

    This vulnerability flaw allows for changes to an XML document do not break a digital signature but can alter the user data passed through to applications behind the Service Provider and result in impersonation attacks and exposure of information 

    • The use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible.
    • No actual attacks of this nature are currently known.
    Reference

    Detailed information about this vulnerability can be found in the NIST advisory CVE-2018-0489 where more information is available.

    Additional references

    More detailed analysis of this vulnerability is available from:

    • http://www.securitynewspaper.com/2018/02/28/vulnerability-found-single-sign-products/
    • https://www.kb.cert.org/vuls/id/475445
    • https://www.bleepingcomputer.com/news/security/saml-vulnerability-lets-attackers-log-in-as-other-users/
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0489
    Effective Security Severity Level:

    High

    Affected Systems:

    Ex Libris products using SAML Shibboleth services as an authentication Service provider.

    Tests and Certifications:

    The mitigation for this vulnerability has been identified, tested and certified for Ex Libris products.

    Actions Taken for Ex Libris Hosted solution:

    All of Ex Libris hosted solutions that are authenticated by Ex Libris hosted Shibboleth service provider solution are protected from this vulnerability and customer do not need to take any actions.

    Required Actions for on-Premise/Local Systems:

    For customers that are using their locally installed institutional identity management as a service provider to authenticate Ex Libris product, Ex Libris strongly recommends following your identity management vendor's instructions (such as the instructions listed by Shibboleth)

    View article in the Exlibris Knowledge Center
    1. Back to top
      • Security Advisory- Deprecation of TLS 1.0 and TLS 1.1 Versions for Higher Education Platform API - Updated July 22, 2021
      • Security Advisory – SUNBURST and SUPERNOVA - SolarWinds Orion vulnerability – Updated December 21, 2020
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Documentation
      Language
      English
      Product
      Cross-Product
    2. Tags
      This page has no tags.
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved