-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [13 August 2014] HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification ========================================================================= The HttpResource and FileBackedHttpResource implementations in OpenSAML and the IdP make use of the Jakarta Commons HttpClient version 3.x. When used with an HTTPS scheme, HttpClient by default does not perform verification of the server hostname against the server's X.509 certificate. The lack of hostname verification means that while the connection between the client and HTTPS server is encrypted, the client has no way to verify it's actually communicating with the appropriate HTTPS server hosting the resource data. In the IdP, HttpResource and FileBackedHttpResource might commonly be used within service.xml to enable fetching of remote configuration resources for services from an HTTP server. They might less commonly be used in relying-party.xml in conjunction with a ResourceBackedMetadataProvider. This issue has been assigned CVE-2014-3603. Affected Versions ================= Versions of the Identity Provider < 2.4.1 Versions of OpenSAML Java < 2.6.2 Recommendations =============== IdP users: Upgrade to IdP 2.4.1 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, and the only use of these resource types is with a ResourceBackedMetadataProvider, then consider replacing the latter with either a HTTPMetadataProvider or FileBackedHTTPMetadataProvider. OpenSAML users: Upgrade to OpenSAML Java 2.6.2 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, it is also possible to replicate in your own code the registration of the appropriate hostname-verifying socket factory added in 2.6.2. See the HttpClient 3.x web site, or contact the Shibboleth developer list for details. Note that in IdP v2.4.0 and above, use of the HTTP metadata provider configuration option 'disregardSslCertificate' will globally disable HttpClient hostname verification as well as TLS certificate trust evaluation. This would include the HttpResource hostname verification being added in the 2.4.1 release. This is a limitation caused by API issues with HttpClient 3.x, and will be addressed in the 3.x version of the Identity Provider. See the following related security advisory: http://shibboleth.net/community/advisories/secadv_20130417.txt Credits ======= Kaspar Brand, SWITCH Updates ======= Updated on 2014-08-20 to add CVE assigned by Red Hat. URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20140813.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJT9NP0AAoJEDeLhFQCJ3lieV4P/RFzcTKUT16STDUvRj3j5s/v 5tR3zNZNv1hx+UGwsGhKVboF/w0lqaqczWBQeQlxZq1Ft/o4JGg4S9+84fCTVq3Z pCANlfOROiQAcrtuvWUIcGoGJ8MrTS5tyQ/PpKdTqbxatu5S5WpK8u2IwomB/XpB vqN11WjYoYQHdVZlob8Mf0fDMsxFQMso4Vuaq/qtCHwT1Zd01hXEFjSHkAVEKazT iO20h1PgMQ9dDkvhN0t5+9HIGBzBexk/siyXzSfQrvvJ3XbWQ8Mq/Lb2ySVVbEDa edTZgzBOas76O4z4qSOc83qwunIDlsrRZOLzTJZ56dS8TdH1dfvCTqh0VeSbuWSZ lS6TLxtnCpK1RMCsOf9t8KOlKtH5A2ODRujCiw8D4LAsXZSDX7aVY8NsXDrP1G0O TicF/oNH6eOYUSppYGOpd2ukMrJs5Lk68vo8vTCqoLiG8nkpfsBlYC9EUtTYSkiF rhXXPc2OCTkCj2GJQWDx7kJQvIA2HBBTOl/OIAW0F1OtCfYXuyBQY3+XEDtISXXC EiUhL6jYhy+Vyxo37UH1xeRNSnOo44z9Q8yl9eM3SKSufRPc1H64RvXed9hRVg37 rD+/KYkDvlfpwDZHsg8nOpJ7b/0hcUHR5uHmLFQKqJBYlWfgQv6as4k0N8/hL96V fSq81DNCw8g2/LblZjJz =wQQ8 -----END PGP SIGNATURE-----