Published: 08-31-31st August 2016
Following four scenarios were found to be vulnerable to XML Signature Wrapping (XSW) attacks, in the WSO2 platform:
None of the external applications (e.g: Google Apps, Salesforce) using WSO2 Identity Server as the SAML 2.0 or WS-Federation Identity Provider are vulnerable to this attack.
In order to preserve the integrity of the SAML assertion and response sent by the SAML Identity Provider to the Service Provider (relying party), XML signatures are used. The relying party can validate the signature of the assertion and response for ensuring that the original message is not altered. In XML Signature Wrapping attacks, the structure of the message is altered such that the relying party can be tricked when it parses the XML message.
The attacker should possess a valid SAML token in hand for wrapping the signature and forwarding to the relying party. Therefore the attacker must be an internal user of the organization who already possesses a valid user account in the system.
Through a successful exploit of the vulnerability, the attacker would be able to impersonate a user and gain access to the SAML SSO consumer applications that the victim is authorized.
However the attack would only be possible where the WSO2 products act as the SAML consumer (e.g. API Manager Store/Publisher, Identity Server Dashboard). Other SAML relying party websites/applications that use WSO2 Identity Server as an Identity Provider have no impact from this attack.
After applying below patches, WSO2 products correctly validate SAML responses and assertions in SAML consumer applications and avoid possible XML Signature Wrapping (XSW) attacks.
Apply the following patches based on your products by following the instructions in the README file.
if you have any questions, post them to firstname.lastname@example.org
Please download the relevant patches based on the products you use following the matrix below. Patches can also be downloaded from http://wso2.com/security-patch-releases/.
WSO2 API Manager
WSO2 API Manager Analytics
WSO2 App Manager
WSO2 Application Server
WSO2 Business Process Server
WSO2 Business Rules Server
WSO2 Complex Event Processor
WSO2 Data Analytics Server
WSO2 Dashboard Server
WSO2 Data Services Server
WSO2 Enterprise Mobility Manager
WSO2 Identity Server
WSO2 Message Broker
WSO2 Machine Learner
If you are using newer versions of the products than the ones mentioned in the “SOLUTION” section, this vulnerability is fixed.