Shibboleth Service Provider Security Advisory [21 July 2015]

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Service Provider Security Advisory [21 July 2015]

Cantor, Scott E.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Service Provider Security Advisory [21 July 2015]

An updated version of the Shibboleth Project's OpenSAML software in
C++ is available which corrects a security issue. This issue affects
the operation of the Service Provider software.


Shibboleth SP software crashes on well-formed but invalid XML
====================================================================
The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.

This vulnerability has been assigned CVE-2015-2684.

Recommendations
===============
Where possible, upgrade to V2.5.5 or later of the OpenSAML-C library
and to V1.5.5 of the XMLTooling-C library. Correcting this bug requires
that the OpenSAML library be rebuilt against the corrected version of
the XMLTooling-C library, which is normally assured by obtaining
updates to both.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.

The MacPorts have also been updated.

Windows systems should upgrade to the latest Service Provider release
(V2.5.5) which contains the appropriately updated libraries. [1]

In the interim, a partial mitigation for this issue can be accomplished
by enforcing schema validation of SAML metadata and/or SAML protocol
messages in the SP configuration. This will prevent a crash, but may
result in problems interoperating with metadata or partners that are
currently functioning because of the more lax validation done by
default. While these are bugs in those metadata sources or peer
systems, they may nonetheless need to be accommodated.

To enforce schema validation of metadata, you may add an XML attribute,
validate="true", to any <MetadataProvider> element used:

  <MetadataProvider validate="true" ... >

To enforce schema validation of protocol messages, you may add the same
XML attribute to the <Policy> element in the security-policy.xml file:

<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
    <Policy id="default" validate="true">
    ...

Credits
=======
Thanks to the InCommon Shibboleth Training team for reporting this
issue and assisting with diagnosis and verifying the fix.

[1] http://shibboleth.net/downloads/service-provider/2.5.5/

URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20150721.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJVrcGmAAoJEDeLhFQCJ3lit6oQAMges5cPWoGhRX0hHhPIZc20
avhQ4Ym+9X+z2dMgBq8Azsl+JoWn0o0gMx5abp4kkPfM41e4YwDvj4A1TDe6qDJd
3d6NuXIDB4VRYKPrHnhWjC1AXwdk0H2u5nWH1E+XnYcKvVQwbHwQBxF6wdT8EN/0
c+lDUyzhAcfnTil1LhBW7R4r8TwfLsUhFWdOo6JkoitxCjRUpiOkjSpLvkUGccN/
C7gs+JjflK+kcUUasiABUPOXotUjB1gCoEicpgaPan2fdDZCaq3HZS7EEY5ZVB9C
3DEHbZizjTJl7STqP4jR3GzW0SVQ3kZWFJJsN6jOkIngAK+TbXRbmibo1Thm/eBv
W8CdeAji8Xei4+4q0XukBKWWAn03+tukwm7vjEFqJ2CTYNNNsLHlx7yMqlxHe++a
eyq5KGJhS4kFyyejtKkOwmPdIdJzaF7tVtp2Bl+1R7DWQCWXwg9jbkKun5Qnt3Fb
5hUTpyOnPtdXw0lpt2zZ1V0CO0zgVxnLYHHJ6fED4HqvxxjW68D/lUasdbQYNinK
vz/5ZmTo0MJrDgkv4755AvNrxzO8mn+f2235iclmADYpgSPUw4bp7VN8yUMkuODa
rdoztJ3HzPEBkjgLH/33WQMNNF0+LM1yi6mHDy+J0GgVL7KjqBgojkSR2xkoES9C
63upVNkg0bi4lMDOQPfG
=AIpd
-----END PGP SIGNATURE-----

--
To unsubscribe from this list send an email to [hidden email]