-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3714
      Shibboleth Identity Provider Security Advisory [2 October 2019]
                              3 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Identity Provider
Publisher:         Shibboleth Project
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://shibboleth.net/community/advisories/secadv_20191002.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Identity Provider Security Advisory [2 October 2019]

Denial of service via External authentication flows
===================================================
The Shibboleth Identity Provider supports a number of login flows that
rely on servlets or JSP pages to operate, including External, RemoteUser,
X509, and SPNEGO.

These flows are vulnerable to a denial of service attack by a remote,
unauthenticated attacker, via Java heap exhaustion due to the creation
of objects in the Java Servlet container session.

Deployments that make use of any of these login flows, either directly
or via the MFA flow, are vulnerable to this issue.

The flows have been redesigned to avoid the creation of objects outside
of existing controls that limit the number of webflow conversations
that can be created without older state being released to the garbage
collection process.

The redesign required API changes to a pair of classes that would
ordinarily not be permitted in a patch release, but direct use of these
classes by deployers has been deemed unlikely and existing External/etc.
login flow deployments remain compatible with the upgrade.


Affected Versions
=================
Versions of the Identity Provider between V3.0.0 and V3.4.5

Recommendations
===============
Upgrade to Identity Provider V3.4.6 or later.

References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20191002.txt

Credits
=======
Jamie Arthur from Queensland University of Technology

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl2UrMcACgkQN4uEVAIn
eWJSCw/+KxskYDRU3niW7t080U4aUxLCneiBFkF3bpgSluDg1pB/MK43U1i+htwP
cmpaeOQtwOZM1pO473pp0wNmnOcVM7PsL44xi+2yTDKYb1g64Q14QP4fJdBzgk8S
osAL3TbhhnWC6roabKDsFM1CpPAeayJQSKZnXxeznWdl0hbEBXQqmgMu2D0lH5h9
1pqxLA9aCSjuXsvKv283WKh+ofpYOU9d4vvyY79CeyRqV1cO2a3JHffSy6gM4ajr
Wdpkn/MuxhODrJsAtGPKCA5hoV6xk1k0BlK8CrJ4JIu61BOmL6IEC28RMwhPMejy
YalALysGNocsaFdgTyiMIkRagbVZZBx1eBJMxYjVjVAtE/15AyaM4WXQa9MNUe4c
P7LdhgIoWXovfUGNMsWZ2/SaAUItXi8GgfPH9AlgKeLKxu2rQJeZZsgUs52JrCGj
ZsWozlxyrsdU7beZsAR2pvNu5EpMMxom0Whuz8EtQrHagq1eHu0j308DuSPGYAed
rDwlqBdNatRcuQRVqTAKRgsv0Z71oiBgwW8kGnkoWSjtDqxzU6g1KHBp/iwCmimy
7rY+3xmH7wFvgJfLyR1AYrGpivfDEGRCu8HrB/IJMENY+nE7ZJTdn5aGglwApiEk
GLtyB0sV+ENPIcbzmBu36sn5qJgPLUXv0wwBzKcFMkCeByGnjBk=
=4h8H
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXZWLWGaOgq3Tt24GAQgMeRAAxuIsEJ2hzGb2WMavChweVCt7/sqBypX1
dBL6NwyflVeYCllZEdtxbXUg1Z0NaEgfWyC3WQHrGs+SuyWtNHIhxsHuQVV+5zyM
5UNnGYsiuJkxHhv2JuXowc01DkF6K6igjlfeHUGHlFU4lLYYs+gGkfDR2KmZNipP
MvySJOh4hsPywCjNCD+jZq4xa77P4oFXx3NWkW8PbF4zrnA63TJSSi17SG9wHNZ0
kzABgCh5REj7srVKcclWnnwcmnmVSLV79htiVsYLUv64f1/MOxQE3QU/7HkhQKJe
sYs5bUvDPh6GX2p3B4cznqs5O/OID0Wc7iW8JDkTscGqtrmQkiqSkzdTCiq+scnv
Oj+ZsDOaQY8uIl5IwZaceeyYzB1tT9kt7dL4obByT8uF+7e9SifX+IYn6ch7gVFP
5Ko87D3kJsYmA2Be5myFva4Z3zhodTcK4xV50dOjuQA2aC0L3pyP87tCUbw93KVy
cvvNzv/mK8czT2/feWRTdwCM2he8bDTyq2c9knVQjtgz+5BbKcSvrrWuRWC3sfkA
jEMcj5JJp6ToO2Mn5kr5jfqKvd04OHDi8UraNcugFkxCdGeIiiuWXHT2XptwAWBz
rhJJZ7ZNMA6EbmWCnXtv5vbAdjjiajiBQlcTahYJCcV1+/3+DgA9SqCQuvgq69xw
AN4/6lLmdlw=
=seI9
-----END PGP SIGNATURE-----