Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1425 Shibboleth Service Provider Security Advisory 27 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth SP Publisher: Shibboleth Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: https://shibboleth.net/community/advisories/secadv_20210426.txt - --------------------------BEGIN INCLUDED TEXT-------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [26 April 2021] An updated version of the Service Provider software is now available which corrects a denial of service vulnerability. Session recovery feature contains a null pointer deference ====================================================================== The cookie-based session recovery feature added in V3.0 contains a flaw that is exploitable on systems *not* using the feature if a specially crafted cookie is supplied. This manifests as a crash in the shibd daemon/service process. Because it is very simple to trigger this condition remotely, it results in a potential denial of service condition exploitable by a remote, unauthenticated attacker. Versions without this feature (prior to V3.0) are not vulnerable to this particular issue. Recommendations =============== Update to V3.2.2 or later of the Service Provider software, which is now available. In cases where this is not immediately possible, configuring a DataSealer component in shibboleth2.xml (even if used for nothing) will work around the vulnerability. For example: <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" /> This workaround is only possible after having updated the core configuration to the V3 XML namespace. Other Notes =========== The cpp-sp git commit containing the fix for this issue is 5a47c3b9378f4c49392dd4d15189b70956f9f2ec URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20210426.txt - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmCGtDAACgkQN4uEVAIn eWIETw/+NlYyGaq1rjD0h37Yvdb5pwyaR5tsRBDx+xIC3O8Bg9Ku7ijaeyyFM75N iyNzPZNafHTP1j9smpjeRSVvfzZ2qNOhiU7XikhsSjjA1y0ZEY/uBaSJ0S4of79b z2avqzeEEIU1Ot2C0VFAxN8RFRKhmw/DJba1QiMulc0R3Hj2BOGjEmucSDNfXPIO AedwmUCNynDZZLragwvyjhKlcomwY7j/ODGzmJeVQ/r2hRnEDQuzXBpItjWhW0L/ o51dIuDTfVyRoD5NnPTLWVtZ2J4/lQGjVY7zHd6UA/FgugdmPqMycPFqAkpjWj/h 4R3DpeuwzZHoh6ty6QFtz8Rw/9wpu5khK5tHo7num+SJenOrb6L3iYr5Mtjirf/C iomS6xyy3XGnJ7d47BDR3ONJCo//XH8sKQx+ONkWe5MrB7DhlEY7rbYDXng/Qewr s2qnR3JcQWI4OW/Zu6xYycnsmhkqIiwSC364TL0TRYb7nRXloaRqG9F/nnLaaXHU oJn8AOanAdD9f/y1dAZ9JZkNIHNvpSCxoVHgRt3SJ0CGTClbkCRlEziLiHMw1+zY KGXv+YsxysAu0fRcM+uxi9tg0f6n2HxLvdxFh3/JHaueg+2IWQd/zRtBC7OFXdZm sPCJzAHytHyAqQUFDFNfSmRCTbVZne7Xjos/1w1OyKpa8xGrdsk= =+5e9 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIeu/+NLKJtyKPYoAQgzaQ//TE2SslMgbV1ilaXmJiVnrPQccRAt8dbZ JdoRzeHUu2DUmdy29XewI0zfseZgikCXPVrsfdgSgdT1m6pdbtmn20GXfRhWpbtn qihJZmvuJ9SYhwKbRmS02QJpeD3MZSrwvC8au+koj90jS0nkbL8JsQ/OdJkbGuED 7kLEU+WZXrznW3MPw9/CzwXCRig+ddnQFM5jlVfyipp0DxPYOEXVjjFIUjRmUuVS X3bB1eJ8ca13DSNOfzontDedD6qQ75fU64TQVeEOBEKKV8F27+lEfznIpolKXZf4 GEqwxynSWNXdqzfAbbPhk40OWzvfz+Nt9vOvfrSUO3ycaoYoRlbsi5mdYlPXayP6 BWsDHSUbQYeb8oho4EvGPG3kjx+bissuQJVvwsvRXRmqX+JLKklnegcl2UjYSjyn Fsh+nXheeg2RRRpaESkM8749bt6xe5bELNcfWrZwZXrIfjn88kozeCtDrNJ4Hdj5 f5CI54qk3RheT9V+VYGb0m7UaI+UxZhiFaMZL1T86jDmH9UoKN0JhczJNqrxC8Cv zJCaw3Pq6152VkdBG0C0N+3x8Eezz4SGcIS5rOSdpEd+eeF4Xk5CSUf5Igkjy0o2 reXJQmij+LXGt/vVQ77OLYHkf2TqBxBoBB5PgVwjdcAB5YMK87RiD8yS1Y3IVMHi 1L06TA0bNl0= =ZPVS -----END PGP SIGNATURE-----