The BMC Application Security team is aware of the recent SAML vulnerability reported by Duo Labs and has determined that BMC’s Remedy Single Sign-On (RSSO) system is not affected by this vulnerability.



The Duo Labs site states that for this vulnerability to be exploited, the following must all be true:

  • The SAML response contains strings identifying the authenticating user
  • XML canonicalization removes comments as part of signature validation, allowing comments to be added to a SAML response without invalidating the signature
  • XML text extraction only returns a substring of the element text when comments are present


Because RSSO returns the entire string (without comments) when extracting element text, the third condition is false.


As a result, RSSO is not affected by the SAML vulnerability.


Additional Resources: