SAML Single Sign On Security Advisories Current: 2018-03-01 Values in SAML Response can be shortened 2018-03-01 Values in SAML Response can be shortened SummaryValues in SAML Response can be shortenedAdvisory Release Date02 Mar 2018 - Interim Version09 Mar 2018 - Final Version23 Mar 2018 - Clarification of fix versions for old EOL systemsProductSAML Single Sign On (SSO) for JIRASAML Single Sign On (SSO) for ConfluenceAffected SAML SSO versions0.14.7 and older (except Jira 0.11.4 and Confluence 0.12.3.3)Fixed SAML SSO versionsVersion 0.15.3 and higher are not affected by this issueThe SAML Single Sign On (SSO) Addons for Bitbucket and Bamboo are not affected.Jira version 0.11.4 and Confluence version 0.12.3.3 has been released as fix versions for very old EOL systems.Summary of VulnerabilityThis advisory discloses a medium severity security vulnerability affecting SAML Single Sign On Plugin Version 0.14.7 (except 0.12.3.3) and older. All 0.15.x and 2.x releases are not affected. Please upgrade your Installations immediately to fix this vulnerability.DetailsIn very specific cases, this vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password.For more details, please see https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations or https://www.kb.cert.org/vuls/id/475445.It allows an attacker to manipulate the SAML response in a way that extracted information including the userid to be logged in is shortened. In the following example, the NameID-value containing the userid is modified by inserting a XML-comment. Anything else than adding a comment would invalidate the reponse's signature so that it is not accepted. Affected versions would parse the NameID-value as admin instead of eviladmin. <?xml version="1.0" encoding="UTF-8"?> <saml2p:Response> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://issuer</saml2:Issuer> <saml2p:Status> <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:Status> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" IssueInstant="2018-03-02T12:13:26.193Z" Version="2.0"> <saml2:Issuer>http://issuer</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">evil<!-- -->admin</saml2:NameID> </saml2:Subject> <saml2:AttributeStatement/> </saml2:Assertion> </saml2p:Response> XML To exploit the following prerequisites must be met:The SAML Single Sign On-addon is installed in version 0.14.7 or olderThe attacker has valid access with a userid which can be turned into the victim user's userid by cutting off characters in the end What You Need to DoUpgrade to SAML Single Sign On (SSO) Version 0.15.3 or higher.For all current Confluence and Jira Versions that are not end of Life yet, either a 0.15.x or a 2.x Version is available. Jira version 0.11.4 has been added to the Marketplace for very old end of Life Jira Installations.Confluence version 0.12.3.3 has been added to the Marketplace for very old end of Life Confluence Installations.If you are running older versions of Jira or Confluence and cannot update, please raise a support request via our Support Portal. SupportIf you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.