Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
Is Qlik Sense affected by CWE-287: Improper Authentication
Article Number: 000047447 | Last Modified: 2018/11/21Description
This article will outline whether Qlik Sense is affected by the CWE 287 : Improper Authentication vulnerability found in some SAML modules.
More reading:
https://www.kb.cert.org/vuls/id/475445
https://cwe.mitre.org/data/definitions/287.html
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Overview
Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Description
CWE-287: Improper Authentication
Security Assertion Markup Language (SAML) is an XML-based markup language for security assertions regarding authentication and permissions, most commonly used for single sign-on (SSO) services.
Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.
A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider
The following CVEs are assigned:
CVE-2017-11427 - OneLogin’s "python-saml"
CVE-2017-11428 - OneLogin’s "ruby-saml"
CVE-2017-11429 - Clever’s "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++
Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.
Description
CWE-287: Improper Authentication
Security Assertion Markup Language (SAML) is an XML-based markup language for security assertions regarding authentication and permissions, most commonly used for single sign-on (SSO) services.
Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message.
A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider
The following CVEs are assigned:
CVE-2017-11427 - OneLogin’s "python-saml"
CVE-2017-11428 - OneLogin’s "ruby-saml"
CVE-2017-11429 - Clever’s "saml2-js"
CVE-2017-11430 - "OmniAuth-SAML"
CVE-2018-0489 - Shibboleth openSAML C++
More reading:
https://www.kb.cert.org/vuls/id/475445
https://cwe.mitre.org/data/definitions/287.html
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Resolution
No, the way that Qlik Sense parses XML used in SAML requests / responses is not affected by CWE-287
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.
Call Us