Shibboleth Service Provider Security Advisory [11 March 2019]

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Service Provider Security Advisory [11 March 2019]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Service Provider Security Advisory [11 March 2019]

An updated version of the XMLTooling library that is part of the
OpenSAML and Shibboleth Service Provider software is now available
which corrects a denial of service vulnerability.

This issue has been assigned CVE-2019-9628.

XML parser class fails to trap exceptions on malformed XML declaration
======================================================================
Invalid data in the XML declaration causes an exception of a type
that was not handled properly in the parser class and propagates an
unexpected exception type.

This generally manifests as a crash in the calling code, which in the
Service Provider software's case is usually the shibd daemon process,
but can be Apache in some cases. Note that the crash occurs prior to
evaluation of a message's authenticity, so can be exploited by an
untrusted attacker.

This issue is *not* specific to the V3 XMLTooling software and is
believed to impact all versions prior to V3.0.4

Recommendations
===============
Update to V3.0.4 or later of the XMLTooling library, which is
now available.

The updated version of the library has been included in a V3.0.4 patch
release of the Service Provider software on Windows.

Other Notes
===========
The xmltooling git commit containing the fix for this issue is
af27c422f551e16989ff6f1722d83614c8550eb5 and is in general terms
applicable to V2 of the library.

Credits
=======
Ross Geerlings, University of Michigan

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20190311.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlyGW9wACgkQN4uEVAIn
eWLkNg/9EdO+8G7P9dlkZ2MuU+xuVcOqdA3/6A558zfROGtNLqRr4hbHIFBojYY1
1kYFlRmKg1PYD4Ovk1/w7SrAR0STKkxfx/JX2O44pkwb5TnrhFFl6v8x7UZf9BoM
ZMPpryaxpBxVL3dDVu2WIElq7LaaFXk+yP/ynVwQCN3mt6tcHNZ/zB1638+QGr1+
oO7LpyW+/s2UoqcQC6koox/KZ/UTlkgbi9tK8P+p1U1yVDS+72SxTFSmkVWlWlWm
5BO5OXpb+vkP82UMIgZP1vGUqtXiX8XbEUqY29ZkfA1926GOBDwGx7MZ6v7U360I
ODio0F8Y9BBd+q8VoBvDenJqlNWedQotWPu3kD1eaXc1m6723ukKNEAu++Oxcon8
YonIRP1rbSytDS1RgPsklK4Lblr0ZhGZNvTpKgPxthccxAdewbk+8NeL8p6fGluj
wpRoB0L9Ia92f4RNbQKVFH9JZKAbAvK43RQdNM7COf64n/yXB543WL2FIuJGcevE
6wUg760mr/OxjXb3EeBTYxeb2sRlxRahfItT+n2MKLGu63GpJdheHvYewRDrPMB7
tCaelK6+lVg6+cg91nkuLL4zHqANJLm8VD49rjjIoXHmaK5H3QZ8/7cAFjBCnFV4
ur3nN8DMJlW/N9YKtINpF15YWk/TSq8NPtCRpPhp9G7kN5Op7Gw=
=GHcJ
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]