ESB-2019.0765 - [Win][UNIX/Linux] Shibboleth: Denial of service - Remote/unauthenticated 2019-03-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0765
       Shibboleth Service Provider Security Advisory [11 March 2019]
                               12 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth
Publisher:         Shibboleth
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-9628  

Original Bulletin: 
   https://shibboleth.net/community/advisories/secadv_20190311.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [11 March 2019]

An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a denial of service vulnerability.

This issue has been assigned CVE-2019-9628.

XML parser class fails to trap exceptions on malformed XML declaration
======================================================================
Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.

This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.

This issue is *not* specific to the V3 XMLTooling software and is
believed to impact all versions prior to V3.0.4

Recommendations
===============
Update to V3.0.4 or later of the XMLTooling library, which is
now available.

The updated version of the library has been included in a V3.0.4 patch
release of the Service Provider software on Windows.

Other Notes
===========
The xmltooling git commit containing the fix for this issue is
af27c422f551e16989ff6f1722d83614c8550eb5 and is in general terms
applicable to V2 of the library.

Credits
=======
Ross Geerlings, University of Michigan

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20190311.txt

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlyGW9wACgkQN4uEVAIn
eWLkNg/9EdO+8G7P9dlkZ2MuU+xuVcOqdA3/6A558zfROGtNLqRr4hbHIFBojYY1
1kYFlRmKg1PYD4Ovk1/w7SrAR0STKkxfx/JX2O44pkwb5TnrhFFl6v8x7UZf9BoM
ZMPpryaxpBxVL3dDVu2WIElq7LaaFXk+yP/ynVwQCN3mt6tcHNZ/zB1638+QGr1+
oO7LpyW+/s2UoqcQC6koox/KZ/UTlkgbi9tK8P+p1U1yVDS+72SxTFSmkVWlWlWm
5BO5OXpb+vkP82UMIgZP1vGUqtXiX8XbEUqY29ZkfA1926GOBDwGx7MZ6v7U360I
ODio0F8Y9BBd+q8VoBvDenJqlNWedQotWPu3kD1eaXc1m6723ukKNEAu++Oxcon8
YonIRP1rbSytDS1RgPsklK4Lblr0ZhGZNvTpKgPxthccxAdewbk+8NeL8p6fGluj
wpRoB0L9Ia92f4RNbQKVFH9JZKAbAvK43RQdNM7COf64n/yXB543WL2FIuJGcevE
6wUg760mr/OxjXb3EeBTYxeb2sRlxRahfItT+n2MKLGu63GpJdheHvYewRDrPMB7
tCaelK6+lVg6+cg91nkuLL4zHqANJLm8VD49rjjIoXHmaK5H3QZ8/7cAFjBCnFV4
ur3nN8DMJlW/N9YKtINpF15YWk/TSq8NPtCRpPhp9G7kN5Op7Gw=
=GHcJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXIca4WaOgq3Tt24GAQheGRAA3fcBoWUMLbjWCJowkBHACnleMwJWo2nB
q7hQ6XPAsEmBMgrhzHQoFjBsMAFnY8ODGEt/t/t82DL3ehmy3TkMnURKgIt0JLlA
Y3QsjlzMCHfJARhmZi3104kqFvc3KgqLa8FXSoShgwSZveTYyojLEAGE37utYKLX
VqNewCrDWJaburvGOSiiAMmHJkNtmnQWs5wJ6kmTVv60br0pcM1SFNhp8RoyL+TB
jX/k5H/dKJqWdjsSRoyT8fYNVnnvkHwILf49xFwlbaW9qDZbzIK5eQObZzAMR5Nu
qnc3eGaxxUl605h4QVTHS0OFFy1EO8pacCH8H+TnnXcogNXh1Keh4N1tWaaRcXro
OWQaAXOt9JWW5OY+CcL/D19nFc+GAzGMwDfkU4f2yQ31gJrIae08Lst0x3syPFaR
IDqNm7TEx3X63SRgheDx8fapmHoC1km0lwn7s1/BsGniVXpuhLephtNanMamifNk
zX5EJljZQTFYceNT0sSba0oj6HA3/qY0/EvgnFy/LlbCH1dON9ssQV/FpNDQywle
NXbq9glXQIrMdaUSw7ZS8gkDJoqo/GakBhB/qW7BnCTb2jKqeBjligl9deVZD2rD
SlKwS1O6Ff4Xuv0hdCDoeFpf3ihgZzuspDs7UllBAlBlcSJHdadpuX28pM8afVNL
l8qTMoY0gzo=
=yrqf
-----END PGP SIGNATURE-----

« Back to bulletins