SAML Vulnerability
June 1, 2021

With the recent vulnerability found in the Lasso library (CVE-2021-28091), which SOGo uses to do SAML-based authentication, we urge you to either disable SAML authentication or temporarily disable the SOGo service until updated packages are available for your operating system of choice and until we release SOGo v5.1.1 and v2.4.1.

SOGo has its own vulnerability regarding the Lasso usage (CVE-2021-33054) and we will provide updated SOGo packages in about two hours to fix this.

If you are NOT using SAML authentication, you are not affected by this bug nor you need to upgrade.

In order to have the full fix for these issues, you must update the Lasso to v2.7.0 or later and update the SOGo packages. You should also invalidate all current user sessions.

Back to 2021