OpenSSL heartbleed bug / Shibboleth implications
Peter Schober
peter.schober at univie.ac.at
Tue Apr 8 05:41:51 EDT 2014
* Ian Young <ian at iay.org.uk> [2014-04-08 11:22]:
> shibd needs to know the SP's private key because it uses it as a
> credential for the mutual authentication performed on back-channel
> operations. I think we're speculating that the back-channel use of
> OpenSSL by shibd may allow that key to be exposed to a hostile
> IdP. As Scott points out, though, because SPs in general only
> perform back-channel operations to locations found in metadata, it
> isn't quite trivial to exploit this.
Turns out the overwhelmingly bad firewall/packet filter configuration
for SOAP ports at IDPs (at least in our little federation; and
interfederation participation is only starting here) saved the day
here -- a measly 10% of our published IDP SOAP endpoints are actually
reachable, as a quick check revealed. (And of those it's not always
httpd serving up the port.)
> For the IdP, though, it's hard to avoid if you support any SOAP
> endpoints at all.
Being slow to update systems also helped us in this case, as RHEL<6.5
and Debian<7.0 (and deployments of SLES) are not vulnerable to THIS
explit (when using OS-supplied libraries).
One of the rare occasions, though, for this to be the case. As to not
overstate the merits of not applying OS updates.
-peter
More information about the users
mailing list