On February 27, 2018, Duo Security announced they had discovered vulnerabilities in these SAML libraries:
CVE-2017-11427 – OneLogin’s “python-saml”
CVE-2017-11428 – OneLogin’s “ruby-saml”
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth OpenSAML C++
You may also refer to the Vulnerability Notes Database which has an updated list of affected/not affected SAML toolkit vendors. Please be sure to review this occasionally.
Please be informed that JumpCloud, as an Identity Provider (e.g. IdP) offering SAML authentication services, does not deploy or leverage any of the affected software mentioned in Duo’s exploit report. Further, we have analyzed our own SAML infrastructure to determine if it fell into any of these vulnerabilities which produced no need for modification to our implementation. No action is required for customers of JumpCloud.
Should you wish to understand exactly how the vulnerability can be exploited, specifically as it pertains to exploits on the Service Provider (SP) side of the SAML transaction, we recommend Kelby Ludwig’s excellent breakdown found on Duo Security’s blog. We also heavily recommend communicating with your Service Providers to ensure they have no known issues or are using the documented affected SAML libraries.
If you have any additional questions or concerns, please feel free to contact our Customer Success team and we’ll be happy to speak with you.