This page will be deprecated on Monday, April 30, 2018. If you have any questions please reach out to [email protected].
Security researchers released findings about a vulnerability in some SAML implementations that threat actors could use to bypass primary authentication, potentially elevating permissions or impersonating privileged accounts. Our team was notified of the vulnerability prior to the public announcement, and we immediately undertook a full code review and patched it. Okta is not vulnerable to this, and we don't have any indication that the vulnerability was exploited in our systems.
How does this vulnerability work?
Through the vulnerability, if an attacker is able to create or successfully compromise an account, he or she could use this vulnerability to add comments to any attribute in order to get access to a privileged account, like an administrator account.
One example: By creating or compromising [email protected], an attacker could use non<comment>[email protected] to potentially get access to either "non" or [email protected] – the latter of which giving privileged access into an organization.
No action is required within Okta, but customers do need to take action to ensure their service providers – such as SaaS applications – have taken the steps that may be required on their end to mitigate the risk of threat actors acting on this vulnerability. If a customer has created their own custom SAML integrations, they should also check those integrations to see if a patch needs to be applied.
Here is a draft ‘Ask Your Third Party Application Vendor’ email template you can use to confirm with your application providers utilizing SAML authentication as to whether they have evaluated and implemented patches to fix the SAML vulnerability. Below is an up-to-date list of the patching status reported by the most popular third-party applications in our ecosystem. Return here for updates on the status of these providers.
If you are a vendor and would like to be added to this list, reach out to [email protected]