OneLogin has been the pioneer of secure single sign-on, pushing for the wide adoption of standards such as SAML and OpenID Connect as secure alternatives for password-based authentication. One of OneLogin’s key initiatives has been publishing SAML open source toolkits, also known as libraries, to enable any organization or SaaS vendor to adopt SAML - for free. Today, thousands of SaaS applications leverage OneLogin’s SAML toolkits and thousands more have adopted the standard to secure their users.
These open-source toolkits are completely independent from the OneLogin platform and are maintained by a dedicated team of engineers and the broader developer community. This includes getting feedback on potential improvements and potential security vulnerabilities as well, and we address those as needed. Typically, this process includes posting a CVE identifier, if available, and reaching out to any developer teams that we know are using the toolkit in question.
Earlier today, security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories detailing a new SAML vulnerability. As is standard practice, CERT/CC reached out to OneLogin in advance of this publication in order for us to address the impacted OneLogin toolkits, and they provided the CVE identifiers CVE-2017-11427 and CVE-2017-11428. OneLogin prepared patched versions of the impacted toolkits ahead of time, and in coordination with CERT/CC and their security advisory, published them this morning.
It is standard industry practice, upheld by CERT/CC, for vendors to not announce vulnerabilities before the official publication, in order to allow all other vendors in the market to respond and patch their platforms as well to ensure the security of the broader Internet community.
Please note that there is no action required for users of the OneLogin platform itself; the required action is for developers that maintain apps that depend on any of the toolkits listed in the security advisory to use the provided patched versions. As an additional precautionary step, you should contact all the SAML service providers you use to verify their stance on the issue.
Below is a summary of the communications that was shared with toolkit users earlier today:
Security Notice: Vulnerability Note VU#475445
Security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories this morning detailing a new SAML vulnerability. CERT/CC reached out to OneLogin in advance of this publication in order for us to address the impacted OneLogin toolkits / libraries, specifically CVE-2017-11427 and CVE-2017-11428.
Once the security advisories were published, we were then allowed to publish our patches located here:
- ruby-saml https://github.com/onelogin/ruby-saml/releases/tag/v1.7.0
- python-saml https://github.com/onelogin/python-saml/releases/tag/v2.4.0
- python3-saml https://github.com/onelogin/python3-saml/releases/tag/v1.4.0