Shibboleth Service Provider Security Advisory [21 July 2015] for ShibSP < 2.5.5
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| shibboleth-sp2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Bug Description
The following email was sent to <email address hidden> on 21st July 2015:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Service Provider Security Advisory [21 July 2015]
An updated version of the Shibboleth Project's OpenSAML software in
C++ is available which corrects a security issue. This issue affects
the operation of the Service Provider software.
Shibboleth SP software crashes on well-formed but invalid XML
=======
The Service Provider software contains a code path with an uncaught
exception that can be triggered by an unauthenticated attacker by
supplying well-formed but schema-invalid XML in the form of SAML
metadata or SAML protocol messages. The result is a crash and so
causes a denial of service.
Updated versions of OpenSAML-C (V2.5.5) and XMLTooling-C (V1.5.5)
are available that correct this bug.
This vulnerability has been assigned CVE-2015-2684.
Recommendations
===============
Where possible, upgrade to V2.5.5 or later of the OpenSAML-C library
and to V1.5.5 of the XMLTooling-C library. Correcting this bug requires
that the OpenSAML library be rebuilt against the corrected version of
the XMLTooling-C library, which is normally assured by obtaining
updates to both.
Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fix.
The MacPorts have also been updated.
Windows systems should upgrade to the latest Service Provider release
(V2.5.5) which contains the appropriately updated libraries. [1]
In the interim, a partial mitigation for this issue can be accomplished
by enforcing schema validation of SAML metadata and/or SAML protocol
messages in the SP configuration. This will prevent a crash, but may
result in problems interoperating with metadata or partners that are
currently functioning because of the more lax validation done by
default. While these are bugs in those metadata sources or peer
systems, they may nonetheless need to be accommodated.
To enforce schema validation of metadata, you may add an XML attribute,
validate="true", to any <MetadataProvider> element used:
<MetadataProvider validate="true" ... >
To enforce schema validation of protocol messages, you may add the same
XML attribute to the <Policy> element in the security-policy.xml file:
<SecurityPolicies xmlns="
<Policy id="default" validate="true">
...
Credits
=======
Thanks to the InCommon Shibboleth Training team for reporting this
issue and assisting with diagnosis and verifying the fix.
[1] http://
URL for this Security Advisory:
http://
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJ
avhQ4Ym+
3d6NuXIDB4VRYKP
c+lDUyzhAcfnTil
C7gs+JjflK+
3DEHbZizjTJl7ST
W8CdeAji8Xei4+
eyq5KGJhS4kFyye
5hUTpyOnPtdXw0l
vz/5ZmTo0MJrDgk
rdoztJ3HzPEBkjg
63upVNkg0bi4lMD
=AIpd
-----END PGP SIGNATURE-----
| Nathan Robertson (nathanr) wrote | #1 |
| Seth Arnold (seth-arnold) wrote | #2 |
| Changed in shibboleth-sp2 (Ubuntu): | |
| status: | New → Incomplete |
| information type: | Private Security → Public Security |
| Seth Arnold (seth-arnold) wrote | #3 |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in shibboleth-sp2 (Ubuntu): | |
| status: | Incomplete → Expired |
Upstream has a backport of the 2.5.4 security fix, from March 2015, which also has not been applied (2.5.3+dfsg-2).