Archived AnnouncementsBack to Announcements Page

  • Security Update to End User SSO Service


    Executive Summary
    This security update resolves a vulnerability in Security Assertion Markup Language (SAML) library for Druva Cloud Products.

    Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers.

    The security update is rated High. 

    The update addresses vulnerabilities in Druva Cloud Products. For more information, see the Affected Software section.

    Vulnerability Information
    This update addresses a critical a vulnerability in Security Assertion Markup Language (SAML) library for Druva Cloud Products.  These libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data allowing the bypass of the SAML authentication mechanism.

    Affected Software
    This vulnerability could affects user authentication via SAML (SSO) for Druva Cloud Products – inSync and Phoenix in all clouds.  End users that are authenticated via Druva inSync Local Accounts or AD/LDAP accounts are not affected.

    Mitigation/Resolution
    Upon knowledge of the vulnerability, Druva’s Information Security and Engineering teams were immediately able to validate the existence of one of the affected libraries.

    Based on additional analysis, the likelihood of this vulnerability being exploited is extremely low.  Druva is currently in the process of validating the patch for the library and will be rolling it into production as per our vulnerability management process.

    Contact
    For any additional information regarding this update, please contact security@druva.com.