Skip to main content
ExLibris
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Security Update - SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018

    Subject: SAML vulnerability (CVE-2018-0489) – Updated February 28, 2018

    Overview

    Ex Libris has been made aware of a recently discovered vulnerability (CVE-2018-0489) that affects SAML Single Sign On implementations and is rated as “High”. 

    An attacker may potentially able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

    Description

    This vulnerability flaw allows for changes to an XML document do not break a digital signature but can alter the user data passed through to applications behind the Service Provider and result in impersonation attacks and exposure of information 

    • The use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible.
    • No actual attacks of this nature are currently known.
    Reference

    Detailed information about this vulnerability can be found in the NIST advisory CVE-2018-0489 where more information is available.

    Effective Security Severity Level:

    High

    Affected Systems:

    Ex Libris products using SAML Shibboleth services as an authentication Service provider.

    Tests and Certifications:

    The mitigation for this vulnerability has been identified, tested and certified for Ex Libris products.

    Actions Taken for Ex Libris Hosted solution:

    All of Ex Libris hosted solutions that are authenticated by Ex Libris hosted Shibboleth service provider solution are protected from this vulnerability and customer do not need to take any actions.

    Required Actions for on-Premise/Local Systems:

    For customers that are using their locally installed institutional identity management as a service provider to authenticate Ex Libris product, Ex Libris strongly recommends following your identity management vendor's instructions (such as the instructions listed by Shibboleth)

    • Was this article helpful?