[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-announce
Subject:    Shibboleth Service Provider Security Advisory [26 April 2021]
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2021-04-26 12:45:21
Message-ID: 1E2C97E9-E948-4EF7-A35E-8EE2978A7BF3 () osu ! edu
[Download RAW message or body]

 -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [26 April 2021]

An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.

Session recovery feature contains a null pointer deference
======================================================================
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.

Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.

Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.

In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.

For example:

<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />

This workaround is only possible after having updated the
core configuration to the V3 XML namespace.

Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c49392dd4d15189b70956f9f2ec


URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210426.txt


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmCGtDAACgkQN4uEVAIn
eWIETw/+NlYyGaq1rjD0h37Yvdb5pwyaR5tsRBDx+xIC3O8Bg9Ku7ijaeyyFM75N
iyNzPZNafHTP1j9smpjeRSVvfzZ2qNOhiU7XikhsSjjA1y0ZEY/uBaSJ0S4of79b
z2avqzeEEIU1Ot2C0VFAxN8RFRKhmw/DJba1QiMulc0R3Hj2BOGjEmucSDNfXPIO
AedwmUCNynDZZLragwvyjhKlcomwY7j/ODGzmJeVQ/r2hRnEDQuzXBpItjWhW0L/
o51dIuDTfVyRoD5NnPTLWVtZ2J4/lQGjVY7zHd6UA/FgugdmPqMycPFqAkpjWj/h
4R3DpeuwzZHoh6ty6QFtz8Rw/9wpu5khK5tHo7num+SJenOrb6L3iYr5Mtjirf/C
iomS6xyy3XGnJ7d47BDR3ONJCo//XH8sKQx+ONkWe5MrB7DhlEY7rbYDXng/Qewr
s2qnR3JcQWI4OW/Zu6xYycnsmhkqIiwSC364TL0TRYb7nRXloaRqG9F/nnLaaXHU
oJn8AOanAdD9f/y1dAZ9JZkNIHNvpSCxoVHgRt3SJ0CGTClbkCRlEziLiHMw1+zY
KGXv+YsxysAu0fRcM+uxi9tg0f6n2HxLvdxFh3/JHaueg+2IWQd/zRtBC7OFXdZm
sPCJzAHytHyAqQUFDFNfSmRCTbVZne7Xjos/1w1OyKpa8xGrdsk=
=+5e9
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to announce-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]