The VMware Security Engineering, Communications and Response group (vSECR) has investigated the impact that this vulnerability may have on VMware products.

Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

vSECR have evaluated this vulnerability and determined that the following conditions must be met for it to be exploitable:

• SAML Responses contain strings that identify the authenticating user.
• XML canonicalization (in most cases) will remove comments as part of signature validation, so adding comments to a SAML Response will not invalidate the signature.
• XML text extraction may only return a substring of the text within an XML element when comments are present.

Unaffected Products

It has been determined that exploitation is not possible in the following products as one or more of the aforementioned requirements are not met. If a specific version number is not listed next to a product entry, then that entry refers to all supported versions of that product.

• VMware vCenter Server
• VMware Identity Manager
• VMware Cloud Director

Note: Automated vulnerability scanners may report that these products are vulnerable even though the issue is not exploitable.