Security researchers from Duo Labs and the US Computer Emergency Response Team Coordination Center (CERT/CC) released security advisories detailing a new SAML vulnerability https://www.kb.cert.org/vuls/id/475445. Oomnitza utilizes the python-saml open source library and is affected by this vulnerability. To resolve this issue a patch will be deployed for all systems by Monday, March 5, 2018.
By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for OneLogin and other affected SAML service providers. Oomnitza does not have any indication that the vulnerability was exploited in our systems.
Customer Required Action
No action steps are required on your part. If you have any questions, please contact firstname.lastname@example.org.
Mitigating The Vulnerability
If possible, it is recommended to temporarily disable OneLogin SAML support in the settings until the patch is deployed by March 5, 2018. If this is not possible, system operations engineers can configure a whitelist of accepted networks and domain names to limit who can authenticate to the application.
The Oomnitza Team