-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Shibboleth Service Provider patches critical security vulnerability
28 February 2018
AusCERT Security Bulletin Summary
Product: Shibboleth Service Provider
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
CVE Names: CVE-2018-0489
Comment: The vendor notes that this vulnerability is present in multiple SAML
libraries, not just Shibboleth.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Shibboleth Service Provider Security Advisory [27 February 2018]
An updated version of the Shibboleth Project's XMLTooling library is
available which corrects a critical security issue.
Shibboleth SP software vulnerable to additional data forgery flaws
The XML processing performed by the Service Provider software has been
found to be vulnerable to new flaws similar in nature to the one
addressed in an advisory last month .
These bugs involve the use of other XML constructs rather than entity
references, and therefore required additional mitigation once discovered.
As with the previous issue, this flaw allows for changes to an XML document
that do not break a digital signature but can alter the user data passed
through to applications behind the SP and result in impersonation attacks
and exposure of protected information.
As before, the use of XML Encryption is a significant mitigation, but we
have not dismissed the possibility that attacks on the Response "envelope"
may be possible, in both the original and this new case. No actual attacks
of this nature are known, so deployers should prioritize patching systems
that expect to handle unencrypted SAML assertions.
An updated version of XMLTooling-C (V1.6.4) is available  that protects
against these new attacks, and should help prevent similar vulnerabilities
in the future.
Unlike the previous case, these bugs are NOT prevented by any existing
Xerces-C parser version on any platform and cannot be addressed by any
means other than the updated XMLTooling-C library.
ALL supported (and unsupported) platforms are impacted by these bugs,
including Windows, Linux, Solaris, and OS X.
This vulnerability has been assigned CVE-2018-0489 and is referenced by
a CERT Vulnerability Note at .
Upgrade to V1.6.4 or later of the XMLTooling-C library and restart the
affected processes (shibd, Apache, etc.)
Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.
The MacPort has also been updated.
Windows systems can upgrade to the latest Service Provider release
(V220.127.116.11) which contains the appropriately updated libraries. 
Kelby Ludwig, Duo Security
Scott Cantor, Shibboleth Project
URL for this Security Advisory:
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----