Courtesy Security Advisory for Shibboleth Identity Provider v2 and OpenSAML v2

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Courtesy Security Advisory for Shibboleth Identity Provider v2 and OpenSAML v2

Brent Putman

This is a courtesy security advisory for the Shibboleth Identity Provider v2 and OpenSAML v2.  Both projects reached end-of-life in July 2016.  We are sending this announcement as a courtesy for anyone who may still be using this very old and unsupported software.  v3 and newer of both software packages are unaffected by this issue.

The org.opensaml.xml.util.Base64 support class found in java-xmltooling (component of OpenSAML v2) is subject to a gzip bomb DoS memory exhaustion attack if very large Base64 and gzipped data is decoded.

For technical details see the Jira issue [1].

OpenSAML v2 users who are using this class directly are advised at a minimum to switch to a different Base64 implementation.

For Identity Provider v2 users, there is no workaround.

For both projects a different Base64 implementation was used starting with v3.0, so no modern and supported versions of the software are affected.

In general, if you are using v2 of either software package it is of course strongly recommended to upgrade to a modern supported version.

Thanks,
Brent

[1] https://issues.shibboleth.net/jira/browse/JXT-126


--
To unsubscribe from this list send an email to [hidden email]