JumpCloud Office Hours: Join our experts every Friday to talk shop. Register today

Recently Discovered SAML Auth. Bypass Vulnerabilities



Notice On Recently Discovered SAML Authentication Bypass Vulnerabilities

On February 27, 2018, Duo Security announced they had discovered vulnerabilities in these SAML libraries:
CVE-2017-11427 – OneLogin’s “python-saml”
CVE-2017-11428 – OneLogin’s “ruby-saml”
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth OpenSAML C++
You may also refer to the Vulnerability Notes Database which has an updated list of affected/not affected SAML toolkit vendors. Please be sure to review this occasionally.
Please be informed that JumpCloud, as an Identity Provider (e.g. IdP) offering SAML authentication services, does not deploy or leverage any of the affected software mentioned in Duo’s exploit report. Further, we have analyzed our own SAML infrastructure to determine if it fell into any of these vulnerabilities which produced no need for modification to our implementation. No action is required for customers of JumpCloud.  
Should you wish to understand exactly how the vulnerability can be exploited, specifically as it pertains to exploits on the Service Provider (SP) side of the SAML transaction, we recommend Kelby Ludwig’s excellent breakdown found on Duo Security’s blog. We also heavily recommend communicating with your Service Providers to ensure they have no known issues or are using the documented affected SAML libraries. 
If you have any additional questions or concerns, please feel free to contact our Customer Success team and we’ll be happy to speak with you.


Recent Posts
Before purchasing a subscription to Azure’s top pricing tier, it’s important to understand what benefits and drawbacks AAD Premium P2 offers.

Blog

Understanding Azure AD’s Premium P2 Tier

Before purchasing a subscription to Azure’s top pricing tier, it’s important to understand what benefits and drawbacks AAD Premium P2 offers.

With IT budgets decreasing in 2020, some organizations need cost-effective system management. Try free MDM functionality here.

Blog

Free MDM

With IT budgets decreasing in 2020, some organizations need cost-effective system management. Try free MDM functionality here.

Learn how to prevent phishing attempts, protect Microsoft 365 identities, and make password changes easier for users. Try JumpCloud free.

Blog

Prevent Phishing of Microsoft 365 Identities

Learn how to prevent phishing attempts, protect Microsoft 365 identities, and make password changes easier for users. Try JumpCloud free.