This blog post provides an overview of a vulnerability discovered in Akamai's Enterprise Application Access (EAA) product which has been patched. This vulnerability could have allowed an actor to impersonate an authorized user when interacting with an application that used Security Assertion Markup Language Version 2 (SAMLv2, referred to as SAML in this document) to authenticate users.
Following the initial notification from a third party, Akamai engineers identified that the vulnerability was in Lasso, a third-party, open source library which implements the SAML v2.0 authentication protocol. Lasso is the library that Akamai EAA uses to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity provider(s) (IdPs). Further investigation of the Lasso library determined that the weakness had a wider impact on other software which has Lasso as a dependency.
A comprehensive fix was deployed to the EAA network as of March 4th, 2021. No updates were required for the EAA connector appliances or the EAA Client. Akamai has determined that the SOGo and PacketFence packages maintained by Inverse, a company recently acquired by Akamai, also depend on Lasso for deployments using SAML for authentication. The SOGo package was also subject to another independent but related vulnerability, CVE-2021-33054. Information about the impact on SOGo and PacketFence may be found here. We have verified that all other external facing applications provided by Akamai, including Akamai Control Center, are not vulnerable to this attack vector.
The Lasso vulnerability has been ass ..
Support the originator by clicking the read the rest link below.
