Shibboleth Identity Provider Security Advisory [2 October 2019]

Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Identity Provider Security Advisory [2 October 2019]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Identity Provider Security Advisory [2 October 2019]

Denial of service via External authentication flows
===================================================
The Shibboleth Identity Provider supports a number of login flows that
rely on servlets or JSP pages to operate, including External, RemoteUser,
X509, and SPNEGO.

These flows are vulnerable to a denial of service attack by a remote,
unauthenticated attacker, via Java heap exhaustion due to the creation
of objects in the Java Servlet container session.

Deployments that make use of any of these login flows, either directly
or via the MFA flow, are vulnerable to this issue.

The flows have been redesigned to avoid the creation of objects outside
of existing controls that limit the number of webflow conversations
that can be created without older state being released to the garbage
collection process.

The redesign required API changes to a pair of classes that would
ordinarily not be permitted in a patch release, but direct use of these
classes by deployers has been deemed unlikely and existing External/etc.
login flow deployments remain compatible with the upgrade.


Affected Versions
=================
Versions of the Identity Provider between V3.0.0 and V3.4.5

Recommendations
===============
Upgrade to Identity Provider V3.4.6 or later.

References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20191002.txt

Credits
=======
Jamie Arthur from Queensland University of Technology

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl2UrMcACgkQN4uEVAIn
eWJSCw/+KxskYDRU3niW7t080U4aUxLCneiBFkF3bpgSluDg1pB/MK43U1i+htwP
cmpaeOQtwOZM1pO473pp0wNmnOcVM7PsL44xi+2yTDKYb1g64Q14QP4fJdBzgk8S
osAL3TbhhnWC6roabKDsFM1CpPAeayJQSKZnXxeznWdl0hbEBXQqmgMu2D0lH5h9
1pqxLA9aCSjuXsvKv283WKh+ofpYOU9d4vvyY79CeyRqV1cO2a3JHffSy6gM4ajr
Wdpkn/MuxhODrJsAtGPKCA5hoV6xk1k0BlK8CrJ4JIu61BOmL6IEC28RMwhPMejy
YalALysGNocsaFdgTyiMIkRagbVZZBx1eBJMxYjVjVAtE/15AyaM4WXQa9MNUe4c
P7LdhgIoWXovfUGNMsWZ2/SaAUItXi8GgfPH9AlgKeLKxu2rQJeZZsgUs52JrCGj
ZsWozlxyrsdU7beZsAR2pvNu5EpMMxom0Whuz8EtQrHagq1eHu0j308DuSPGYAed
rDwlqBdNatRcuQRVqTAKRgsv0Z71oiBgwW8kGnkoWSjtDqxzU6g1KHBp/iwCmimy
7rY+3xmH7wFvgJfLyR1AYrGpivfDEGRCu8HrB/IJMENY+nE7ZJTdn5aGglwApiEk
GLtyB0sV+ENPIcbzmBu36sn5qJgPLUXv0wwBzKcFMkCeByGnjBk=
=4h8H
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]