ESB-2017.2508 - [Win][UNIX/Linux] Shibboleth Identity Provider: Provide misleading information - Remote with user interaction 2017-10-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2508
      Shibboleth Identity Provider Security Advisory [4 October 2017]
                              5 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Identity Provider
Publisher:         Shibboleth
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://shibboleth.net/community/advisories/secadv_20171004.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Identity Provider Security Advisory [4 October 2017]

LDAP Data Connector insecure when using default JVM trust
=========================================================
A flaw in the library used by the LDAP data connector [1] causes the
connector to fail to validate the server certificate and leaves it
vulnerable to man in the middle attacks under the following conditions:

1. The connection is via LDAPS (NOT StartTLS).
2. The connection's trust configuration is left to the default Java
cacerts file, so-called default JVM trust.

If your connector contains a trustFile attribute or a
<StartTLSTrustCredential> element (which also applies to LDAPS
connections), then it is not relying on default JVM trust and is not
vulnerable.

Affected Versions
=================
Versions of the Identity Provider < 3.3.2 using ldaptive < 1.0.11.

Recommendations
===============
All deployers affected should take at least one, and preferably both,
of the following steps:

1. Update to V3.3.2 to correct the flaw and to maintain use of a
supported release.
2. Copy the server's certificate (or more typically a CA) to a file
and reference it with the trustFile attribute.

As a short term fix, you MAY obtain and replace the version of ldaptive
inside the deployed warfile with the latest ldaptive version, but it's
generally simpler to just do the first step above.

Note that as of V3.3.2, the software will now warn in most cases if the
default JVM trust approach is used in the LDAP connector, and a future
version will no longer support this approach, as it continues to be a
source of security problems.

References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20171004.txt


Credits
=======
Russell Ianniello, Australian Access Federation

[1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlnU3fwACgkQN4uEVAIn
eWIw7A//bQodkXcD+2xRq6iF88WoMNK6Q9Cr8kWH6ypiyRQfj1/kmL1KJgp348bK
VtSm85pQNV35pz5pEOAJ4exW5Mo/R2fJ2Q3dpqv9Qdi/hlOzp2tCyQqSiigm8VMF
ZeJjcofwY2PESV3x8v1KW8NCEsqc3RPedQJHlQ/9mLQI2fxgnH/z6BKp0u+fmTl4
WMRfTioEh0GXZpMj6qPWMIC28iBltSNx9Mzic6cTLcglHx4GhHEmkSobqHICLrKq
+yUlnDbi8n04ghF//RBut9iBQkhCVwUQWxlWEhqasXRJT4PQGZjtE7aCOqk2XPP3
y6MOdBX0PojDqEX5I/kM4ZJQfTy6PWp32SHSMlP0NiDMQzlQmODc1DWQbWO/NGOk
o+nWKQGhvmQl8GtRwtPoE5f8tjYHuC7iqW5fdw676OB4eU5DntLQofc61pXR33+o
OrS8UtB0pGGe/TS5M77oYznJ1IqOWwIaDbHW3ykrN555uOCGFKaNmBL2MghHediZ
h24TwkAv7bnXFJ+qR/WwOIWK2XgDIqybZv4L8FbzBaPYwkyPhpPLQNmh07cFxGCx
DVK3+7C0iXYHycrjxptt1bFYqT+iCHRJg0IGJYVjJ+BD4q9o+p+BQNOdwnjyuE1E
LkUyPuHfYDrhXJOysjQlFFKrufDdONeozlwoLQEff3zNpWGIn6c=
=FXHy
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWdWv/Ix+lLeg9Ub1AQgWfQ/6A/TBYT3QnwYX3wDHH1GtreP4N6m2uEQO
ZMR+R5kxPtCPmJO297vX9fmEeT8uR1UmoKNhojyukHCSwz8gOwmv6PWyXanoP1cg
AQU27O/yje3l7o2BUVyJ/XIBUeNNWIZr78EieyRsl6GqUZaoLyI4e11cX2UJkHyn
8k0DCmC+ybxqVgUWkRE8lWXRvt7EHNcq+nj6Nd0g+SwwaL9fHhyZQg4n+91/QGY0
vLHiok/JlFy9F7+dZ9Yh+kedTTvmu9P7Utqgv6qffQWems7pwyZKJ8Gvag6T9jK7
8+1hU00VTe4uDz/KdZMsVod/BYSQwBHx7hvjDUm6azoWxOSPDtBgMjSosdHE2tA0
b6lD1I0I2ML2vLGIuGXPSZ5Egr5WUtYI/i+d/g6Ufvne//8LNHiRvfxCrGgEZEKP
V7+brxpXbbzK6mz3fanvXrBWteoI6RghoyjTUvUtSYs/9OX12Mvc/+sD6tTSxN+S
WLOYjvjqrzc6rKJNKNCwDB/W01E03P3+cOD/Q7eiEYvfUceAb0kiEN5dCJzUx8vV
mtRW9OGFFMxSwo0JDZofVtQVJrV3ciy5grjP3CKk7hCTb+eDvycP4hPLdCPxgjtd
JuM950B1R75EOtKLoV/2pgAAM2lAhG9U8O+j/ZuJgP4oDZrk6RvadgrzUZjixFNd
HEsZ3sIpk4U=
=ZXtJ
-----END PGP SIGNATURE-----

« Back to bulletins