Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1425
Shibboleth Service Provider Security Advisory
27 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Shibboleth SP
Publisher: Shibboleth
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
https://shibboleth.net/community/advisories/secadv_20210426.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.
For example:
<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmCGtDAACgkQN4uEVAIn
eWIETw/+NlYyGaq1rjD0h37Yvdb5pwyaR5tsRBDx+xIC3O8Bg9Ku7ijaeyyFM75N
iyNzPZNafHTP1j9smpjeRSVvfzZ2qNOhiU7XikhsSjjA1y0ZEY/uBaSJ0S4of79b
z2avqzeEEIU1Ot2C0VFAxN8RFRKhmw/DJba1QiMulc0R3Hj2BOGjEmucSDNfXPIO
AedwmUCNynDZZLragwvyjhKlcomwY7j/ODGzmJeVQ/r2hRnEDQuzXBpItjWhW0L/
o51dIuDTfVyRoD5NnPTLWVtZ2J4/lQGjVY7zHd6UA/FgugdmPqMycPFqAkpjWj/h
4R3DpeuwzZHoh6ty6QFtz8Rw/9wpu5khK5tHo7num+SJenOrb6L3iYr5Mtjirf/C
iomS6xyy3XGnJ7d47BDR3ONJCo//XH8sKQx+ONkWe5MrB7DhlEY7rbYDXng/Qewr
s2qnR3JcQWI4OW/Zu6xYycnsmhkqIiwSC364TL0TRYb7nRXloaRqG9F/nnLaaXHU
oJn8AOanAdD9f/y1dAZ9JZkNIHNvpSCxoVHgRt3SJ0CGTClbkCRlEziLiHMw1+zY
KGXv+YsxysAu0fRcM+uxi9tg0f6n2HxLvdxFh3/JHaueg+2IWQd/zRtBC7OFXdZm
sPCJzAHytHyAqQUFDFNfSmRCTbVZne7Xjos/1w1OyKpa8xGrdsk=
=+5e9
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIeu/+NLKJtyKPYoAQgzaQ//TE2SslMgbV1ilaXmJiVnrPQccRAt8dbZ
JdoRzeHUu2DUmdy29XewI0zfseZgikCXPVrsfdgSgdT1m6pdbtmn20GXfRhWpbtn
qihJZmvuJ9SYhwKbRmS02QJpeD3MZSrwvC8au+koj90jS0nkbL8JsQ/OdJkbGuED
7kLEU+WZXrznW3MPw9/CzwXCRig+ddnQFM5jlVfyipp0DxPYOEXVjjFIUjRmUuVS
X3bB1eJ8ca13DSNOfzontDedD6qQ75fU64TQVeEOBEKKV8F27+lEfznIpolKXZf4
GEqwxynSWNXdqzfAbbPhk40OWzvfz+Nt9vOvfrSUO3ycaoYoRlbsi5mdYlPXayP6
BWsDHSUbQYeb8oho4EvGPG3kjx+bissuQJVvwsvRXRmqX+JLKklnegcl2UjYSjyn
Fsh+nXheeg2RRRpaESkM8749bt6xe5bELNcfWrZwZXrIfjn88kozeCtDrNJ4Hdj5
f5CI54qk3RheT9V+VYGb0m7UaI+UxZhiFaMZL1T86jDmH9UoKN0JhczJNqrxC8Cv
zJCaw3Pq6152VkdBG0C0N+3x8Eezz4SGcIS5rOSdpEd+eeF4Xk5CSUf5Igkjy0o2
reXJQmij+LXGt/vVQ77OLYHkf2TqBxBoBB5PgVwjdcAB5YMK87RiD8yS1Y3IVMHi
1L06TA0bNl0=
=ZPVS
-----END PGP SIGNATURE-----