Virtually every day, we hear something new about the vulnerabilities and attacks on enterprise cybersecurity initiatives. The latest issue has many organizations on alert. The risk lies in how multiple SAML open-source libraries are allowing authentication to be bypassed due to incorrect parsing of SAML assertions. This is a result of improper XML canonicalization.
Ping Identity is happy to inform you that our products aren’t affected by this vulnerability, and we don’t integrate with—nor do we ship—any of the affected libraries listed in the Vulnerability Note VU#475445 published by CERT.
IDaaS Environments(PingOne and PingID) PingOne and AD Connect share common usage of SAML-processing libraries with PingFederate. These libraries have been tested and found to be unaffected by the issue described in the Vulnerability Note.
On-premises Software(PingFederate, PingAccess, PingDirectory, PingDataSync and PingDataGovernance) PingFederate (7.x, 8.x and 9.x) is our on-premises product that specifically processes SAML requests and assertions. The SAML message-processing libraries used by PingFederate have been tested and found to be unaffected by the issue described in the Vulnerability Note.
To protect your organization, we highly encourage customers to review their use of open-source libraries, especially those listed in the Vulnerability Note. Where SAML products are used, don’t hesitate to challenge your vendors to confirm that their products haven’t been affected by this vulnerability.