CVE-2021-31826: Session recovery feature contains a null pointer deference
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shibboleth-sp (Debian) |
Fix Released
|
Unknown
|
|||
shibboleth-sp (Ubuntu) |
Fix Released
|
Medium
|
Steve Beattie |
Bug Description
Upstream advisory: https:/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
=======
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Recommendations
===============
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.
For example:
<DataSealer type="Static" key="4Sn0Wi6BXq
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
Other Notes
===========
The cpp-sp git commit containing the fix for this issue is
5a47c3b9378f4c4
URL for this Security Advisory:
https:/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiE
eWIETw/
iyNzPZNafHTP1j9
z2avqzeEEIU1Ot2
AedwmUCNynDZZLr
o51dIuDTfVyRoD5
4R3DpeuwzZHoh6t
iomS6xyy3XGnJ7d
s2qnR3JcQWI4OW/
oJn8AOanAdD9f/
KGXv+YsxysAu0fR
sPCJzAHytHyAqQU
=+5e9
-----END PGP SIGNATURE-----
CVE References
information type: | Private Security → Public Security |
Changed in shibboleth-sp (Debian): | |
status: | Unknown → Confirmed |
Changed in shibboleth-sp (Debian): | |
status: | Confirmed → Fix Released |
Changed in shibboleth-sp (Ubuntu): | |
importance: | Undecided → Medium |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res