Shared libraries are common in code development to increase efficiency, and provide a well-developed set of subroutines and functions. When a vulnerability is discovered in a shared library, it poses a serious risk to any organization that used that library – think Log4j. But, in the scenario that the vulnerability is not disclosed or fixed by the open source project and developers are unaware that they need to reconfigure it, this exposes organizations to even greater risk. In this session Mandiant and Ivanti will detail the discovery, remediation and disclosure of a vulnerability in the Apache XML Security for C++ library, which is part of the Apache Santuario project. By default, the library resolves references to external URIs passed in Extensible Markup Language (XML) signatures, allowing for server-side request forgery (SSRF). There is no way to disable this feature through configuration alone, and there is no patch available. Mandiant reported the non-secure default configuration in xml-security-c to the Apache Software Foundation (ASF). The ASF did not issue a CVE or a new release of xml-security-c.