OIOSAML for Java release 2.0.8 has been made available. This release
contains the following changes
- Security issue in the XML parser (specifically the
DocumentBuilderFactory generation in SAMLUtil.java) has been fixed.
The issue could potentially be used as an attack vector for DOS
attacks and Server Side Request Forgery attacks
Everyone is highly recommended to upgrade to this version, as the
security issue exists in all previous versions of OIOSAML.
A great thank you goes to Bob Rao from NTT Data Figtree Systems, for
reporting on this security issue, and being very helpful in locating
the exact cause and the required fix for this issue.
The code is still available through Softwarebørsen SVN, and can be
The binary artifacts are distributed as Maven dependencies, and can
be located here