The BMC Application Security team is aware of the recent SAML vulnerability reported by Duo Labs and has determined that BMC’s Remedy Single Sign-On (RSSO) system is not affected by this vulnerability.
The Duo Labs site states that for this vulnerability to be exploited, the following must all be true:
- The SAML response contains strings identifying the authenticating user
- XML canonicalization removes comments as part of signature validation, allowing comments to be added to a SAML response without invalidating the signature
- XML text extraction only returns a substring of the element text when comments are present
Because RSSO returns the entire string (without comments) when extracting element text, the third condition is false.
As a result, RSSO is not affected by the SAML vulnerability.