Cloud Financial Management (FinOps)
Autoscaling applications
Amazon Web Services
Big data
Container infrastructure
Microsoft Azure
Reserved commitment management
Cloud services for MSPs
Google Cloud
Spot Overview
About NetApp
Elastigroup
Ocean
Ocean CD
Spot Connect
Eco
Cost Intelligence
Billing Engine
CloudCheckr
Ocean for Apache Spark
Spot Security
Case Studies
Resource Center
Documentation
News
Service Status
What Is CloudOps?
How to Operationalize FinOps
About Us
Contact Us
Careers
Related CVEs
CVE-2017-11427 – OneLogin’s “python-saml“
CVE-2017-11428 – OneLogin’s “ruby-saml“
CVE-2017-11429 – Clever’s “saml2-js”
CVE-2017-11430 – “OmniAuth-SAML”
CVE-2018-0489 – Shibboleth openSAML C++
Vulnerability Note VU#475445 (https://www.kb.cert.org/vuls/id/475445) relates to hijacking SAML documents by adding comments to fields, manipulating the identification of a user. As a SAML Service Provider, Spotinst has verified that all XML parsing within our system handles comments correctly. Spotinst does not use any of the libraries specifically called out. Furthermore, we have tested the core XML libraries in use against the described attacks. Testing has revealed that the vulnerability cannot be reproduced against our Service Provider SAML interfaces.
With that said, upstream Identity Providers (IDPs) will need to make their own modifications to ensure their platforms properly support comments within SAML documents. Please refer to statements from your IDP service and/or library in regards to mitigations they have taken for this vulnerability.
Please don’t hesitate to reach out to Spotinst Customer Support (cs@spotinst.com) with any security question.