Courtesy Security Advisory for Shibboleth Identity Provider v2 and OpenSAML v2
This is a courtesy security advisory for the Shibboleth Identity
Provider v2 and OpenSAML v2. Both projects reached end-of-life in
July 2016. We are sending this announcement as a courtesy for
anyone who may still be using this very old and unsupported
software. v3 and newer of both software packages are unaffected
by this issue.
The org.opensaml.xml.util.Base64 support class found in
java-xmltooling (component of OpenSAML v2) is subject to a gzip
bomb DoS memory exhaustion attack if very large Base64 and gzipped
data is decoded.
For technical details see the Jira issue .
OpenSAML v2 users who are using this class directly are advised
at a minimum to switch to a different Base64 implementation.
For Identity Provider v2 users, there is no workaround.
For both projects a different Base64 implementation was used
starting with v3.0, so no modern and supported versions of the
software are affected.
In general, if you are using v2 of either software package it is
of course strongly recommended to upgrade to a modern supported