Shibboleth Identity Provider Security Advisory [4 October 2017]
Doan, Tommy
tdoan at smu.edu
Wed Oct 4 11:43:50 EDT 2017
Does the vulnerability not apply to LDAP authN configuration but only to the attribute resolver?
-----Original Message-----
From: announce [mailto:announce-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, October 4, 2017 8:19 AM
To: announce at shibboleth.net
Subject: Shibboleth Identity Provider Security Advisory [4 October 2017]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Identity Provider Security Advisory [4 October 2017]
LDAP Data Connector insecure when using default JVM trust
=========================================================
A flaw in the library used by the LDAP data connector [1] causes the
connector to fail to validate the server certificate and leaves it
vulnerable to man in the middle attacks under the following conditions:
1. The connection is via LDAPS (NOT StartTLS).
2. The connection's trust configuration is left to the default Java
cacerts file, so-called default JVM trust.
If your connector contains a trustFile attribute or a
<StartTLSTrustCredential> element (which also applies to LDAPS
connections), then it is not relying on default JVM trust and is not
vulnerable.
Affected Versions
=================
Versions of the Identity Provider < 3.3.2 using ldaptive < 1.0.11.
Recommendations
===============
All deployers affected should take at least one, and preferably both,
of the following steps:
1. Update to V3.3.2 to correct the flaw and to maintain use of a
supported release.
2. Copy the server's certificate (or more typically a CA) to a file
and reference it with the trustFile attribute.
As a short term fix, you MAY obtain and replace the version of ldaptive
inside the deployed warfile with the latest ldaptive version, but it's
generally simpler to just do the first step above.
Note that as of V3.3.2, the software will now warn in most cases if the
default JVM trust approach is used in the LDAP connector, and a future
version will no longer support this approach, as it continues to be a
source of security problems.
References
==========
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20171004.txt
Credits
=======
Russell Ianniello, Australian Access Federation
[1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlnU3fwACgkQN4uEVAIn
eWIw7A//bQodkXcD+2xRq6iF88WoMNK6Q9Cr8kWH6ypiyRQfj1/kmL1KJgp348bK
VtSm85pQNV35pz5pEOAJ4exW5Mo/R2fJ2Q3dpqv9Qdi/hlOzp2tCyQqSiigm8VMF
ZeJjcofwY2PESV3x8v1KW8NCEsqc3RPedQJHlQ/9mLQI2fxgnH/z6BKp0u+fmTl4
WMRfTioEh0GXZpMj6qPWMIC28iBltSNx9Mzic6cTLcglHx4GhHEmkSobqHICLrKq
+yUlnDbi8n04ghF//RBut9iBQkhCVwUQWxlWEhqasXRJT4PQGZjtE7aCOqk2XPP3
y6MOdBX0PojDqEX5I/kM4ZJQfTy6PWp32SHSMlP0NiDMQzlQmODc1DWQbWO/NGOk
o+nWKQGhvmQl8GtRwtPoE5f8tjYHuC7iqW5fdw676OB4eU5DntLQofc61pXR33+o
OrS8UtB0pGGe/TS5M77oYznJ1IqOWwIaDbHW3ykrN555uOCGFKaNmBL2MghHediZ
h24TwkAv7bnXFJ+qR/WwOIWK2XgDIqybZv4L8FbzBaPYwkyPhpPLQNmh07cFxGCx
DVK3+7C0iXYHycrjxptt1bFYqT+iCHRJg0IGJYVjJ+BD4q9o+p+BQNOdwnjyuE1E
LkUyPuHfYDrhXJOysjQlFFKrufDdONeozlwoLQEff3zNpWGIn6c=
=FXHy
-----END PGP SIGNATURE-----
--
To unsubscribe from this list send an email to announce-unsubscribe at shibboleth.net
More information about the users
mailing list