Subject: SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018
Ex Libris has been made aware of a recently discovered vulnerability (CVE-2018-0489) that affects SAML Single Sign On implementations and is rated as “High”.
An attacker may potentially able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
This vulnerability flaw allows for changes to an XML document do not break a digital signature but can alter the user data passed through to applications behind the Service Provider and result in impersonation attacks and exposure of information
- The use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible.
- No actual attacks of this nature are currently known.
Detailed information about this vulnerability can be found in the NIST advisory CVE-2018-0489 where more information is available.
More detailed analysis of this vulnerability is available from:
Effective Security Severity Level:
Ex Libris products using SAML Shibboleth services as an authentication Service provider.
Tests and Certifications:
The mitigation for this vulnerability has been identified, tested and certified for Ex Libris products.
Actions Taken for Ex Libris Hosted solution:
All of Ex Libris hosted solutions that are authenticated by Ex Libris hosted Shibboleth service provider solution are protected from this vulnerability and customer do not need to take any actions.
Required Actions for on-Premise/Local Systems:
For customers that are using their locally installed institutional identity management as a service provider to authenticate Ex Libris product, Ex Libris strongly recommends following your identity management vendor's instructions (such as the instructions listed by Shibboleth)