Clever Engineering Blog — Always a Student

saml2-js and CVE-2017-11429

By Alex Smolen on

Over the past month, Clever worked with CERT to address a vulnerability in our open-source SAML2 library.

Clever maintains an open source library implementing the SAML protocol in Node.js known as saml2-js. We use this library internally in our SAML service provider functionality for schools using Clever SSO and the Clever Portal. It is used by other organizations acting as SAML service providers for verifying SAML assertions.

On January 24, 2108, Clever received an email from CERT describing a potential vulnerability in SAML implementations. We received details about the vulnerability on January 25. We verified the issue affected our saml2-js library, and on January 26 updated our usage of the library in our production services powering SAML integrations for Clever Instant Login to remediate the vulnerability.

We were asked to not share details about this vulnerability until its publication on February 27. Because of the embargo on the issue, we delayed the public patch until February 23, at which point the patch was published as a revision (from 1.12.3 to 1.12.4 and 2.0.1 to 2.0.2) and released on Github and npm. We are currently working with maintainers of npm security vulnerability databases to ensure that older saml2-js are appropriately marked as vulnerable.

At Clever, we’re committed to ensuring that our services are secure, as is any code we publicly release. We’d like the thank the researchers at Duo Security for uncovering this issue and CERT for helping us plan the remediation both internally and for the users of our open source library.