SECURITY ADVISORY: Potential Access to Sensitive Information when Clustering Shibboleth 2 IdPs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SECURITY ADVISORY: Potential Access to Sensitive Information when Clustering Shibboleth 2 IdPs

Chad La Joie
Potential Access to Sensitive Information when Clustering Shibboleth 2.X
IdPs
==================================

Shibboleth 2 IdPs using the Terracotta clustering support MAY be
allowing access to sensitive information (e.g. passwords and user data).
  Terracotta allows deployers to inspect runtime information via the
Java Management Extensions (JMX)[1].  Part of this runtime information
is the information being replicated between IdP cluster nodes which may
contain sensitive data.

Affected Systems
===========
All Shibboleth 2 IdPs using Terracotta clustering

Addressing the Issue
==========
Block the Terracotta JMX port (default: 9520).

If you are using JMX then only allow those trusted machines to access
the JMX port.
Step 1 of the 'Configuring IdP Clustering'[2] in the wiki has been
updated to more strongly suggest this as well.

Note, while Terracotta does allow you to assign a username/password that
is then required to access this port doing so breaks support for their
command line scripts (such as the recommend distributed garbage
collection script).

Credits
==========
Russell Beall, Univ of Southern California, for bring this to my attentions

[1] http://java.sun.com/javase/technologies/core/mntr-mgmt/javamanagement
[2] https://spaces.internet2.edu/display/SHIB2/IdPCluster

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Z├╝rich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch