Shibboleth Service Provider Security Advisory [21 July 2015] for ShibSP < 2.5.5

Bug #1480765 reported by Nathan Robertson on 2015-08-03
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shibboleth-sp2 (Ubuntu)

Bug Description

The following email was sent to <email address hidden> on 21st July 2015:

Hash: SHA512

Shibboleth Service Provider Security Advisory [21 July 2015]

An updated version of the Shibboleth Project's OpenSAML software in
C++ is available which corrects a security issue. This issue affects
the operation of the Service Provider software.

Shibboleth SP software crashes on well-formed but invalid XML
The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.

Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.

This vulnerability has been assigned CVE-2015-2684.

Where possible, upgrade to V2.5.5 or later of the OpenSAML-C library
and to V1.5.5 of the XMLTooling-C library. Correcting this bug requires
that the OpenSAML library be rebuilt against the corrected version of
the XMLTooling-C library, which is normally assured by obtaining
updates to both.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.

The MacPorts have also been updated.

Windows systems should upgrade to the latest Service Provider release
(V2.5.5) which contains the appropriately updated libraries. [1]

In the interim, a partial mitigation for this issue can be accomplished
by enforcing schema validation of SAML metadata and/or SAML protocol
messages in the SP configuration. This will prevent a crash, but may
result in problems interoperating with metadata or partners that are
currently functioning because of the more lax validation done by
default. While these are bugs in those metadata sources or peer
systems, they may nonetheless need to be accommodated.

To enforce schema validation of metadata, you may add an XML attribute,
validate="true", to any <MetadataProvider> element used:

  <MetadataProvider validate="true" ... >

To enforce schema validation of protocol messages, you may add the same
XML attribute to the <Policy> element in the security-policy.xml file:

<SecurityPolicies xmlns="urn:mace:shibboleth:2.0:native:sp:config">
    <Policy id="default" validate="true">

Thanks to the InCommon Shibboleth Training team for reporting this
issue and assisting with diagnosis and verifying the fix.


URL for this Security Advisory:

Version: GnuPG v1


CVE References

Nathan Robertson (nathanr) wrote :

Upstream has a backport of the 2.5.4 security fix, from March 2015, which also has not been applied (2.5.3+dfsg-2).

Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information:

Changed in shibboleth-sp2 (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

If you're able to work on this, please note that there is an older issue still open that probably needs to be addressed, too:


Launchpad Janitor (janitor) wrote :

[Expired for shibboleth-sp2 (Ubuntu) because there has been no activity for 60 days.]

Changed in shibboleth-sp2 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers