Shibboleth Identity Provider Security Advisory [27 October 2016]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [27 October 2016]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Shibboleth Identity Provider Security Advisory [27 October 2016]

Collision in LDAP Data Connector result set cache
=================================================
A flaw in the implementation of the result cache in the LDAP data
connector [1] in the attribute resolver can cause results for one search
to be substituted for another search, including one associated with a
different subject. Depending on the purpose of the search and the
attributes involved, this can result in data associated with one user
being substituted for another, with critical impact on connected
systems, up to and including improper information disclosure.

It is believed at this time that this flaw is present in the V3
software only, and does not affect the older V2 Identity Provider
software. It is also believed to impact only the LDAP data connector
and not the RDBMS data connector. If either assumption proves false,
we will update this advisory.

Affected Versions
=================
Versions of the Identity Provider >= 3.0.0 and < 3.3.0.


Recommendations
===============
All deployers making use of this feature should immediately remove
the <ResultCache> element from any configured LDAP data connectors.

Upon the release of V3.3.0, updating to that version will make the
feature safe to use again.


References
==========

URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20161027.txt


Credits
=======
Jeffrey Eaton, Carnegie Mellon University

[1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYEla5AAoJEDeLhFQCJ3lij14P/0w9I8BUFh0hpflAYBVmGDHP
h2FF83jcI2PdWiwzwwBy5gFD4vaaYt+5HtYvXMPXlTwoNGaZALmPRV05BjkzRHQB
YfN7C78rMsIQ08BDZY97gRYGI4DAgJkx+b7KHAdrlCZ1vVbkreM3wajxNTfUW/on
E8DRPuJaC3rp2hCkPQidSslRg/p+tHOZYyq2n2cgQvl73dLP9+8yRhyWsO6cZDqN
evwQ9CrvpnBFQIH9ukfQ/ISy/ZeoTRlOzgL4vU6bW0nKs0JoSgzndo9AlcKbh8NQ
D+bSi529AcE8W2qSlTU3p447v8otUHtjuhNEgDT/Oy1tDF7cpKOTTmfPnVKyh71J
S4h+UXrqKwILaneuEolstOdK0dsHYzuyW9ytllXkqcWwmYViAdTJCRp55wGPLE+3
dwnGQAaQRo3EYxAfyUva1MPajVXp3k2sJhdRGWVwNFJvOIGzjdKmqhcVnoR/NA2z
rmBcH5V7vCeXK60jmk/pFr6S8O5pp6bGbSMHCeZ7zJa9dleUBUPQ2V/qMLRGajTv
Qcrr30TPjzNfhpqylr0ytulvyUJhq3jTuPQSnk7QDBwyPultT57I//TTwXA6SPze
/ZI+9ZBnLQCldZB8ittH/ToNYsif+enKAn5gxj79fg/P1dvpKvXS7mCczfgivavh
wJf/r6O9ygwzhwN2s8S0
=42dB
-----END PGP SIGNATURE-----
--
To unsubscribe from this list send an email to [hidden email]