Shibboleth Identity Provider Security Advisory [18 September 2019]
Takeshi NISHIMURA
takeshi at nii.ac.jp
Thu Sep 26 06:28:31 EDT 2019
Hi Scott,
Thanks for the announcement.
It will be more useful if you can add the severity in advisories.
> Severity: moderate
For others' information, here is Japanese translation:
https://www.gakunin.jp/ml-archives/upki-fed/msg01293.html
Best regards,
Takeshi
On 2019/09/18 23:44, Cantor, Scott wrote:
> Shibboleth Identity Provider Security Advisory [18 September 2019]
>
> Improper exposure of pairwise identifiers to relying parties
> ============================================================
>
> The Shibboleth Identity Provider supports the concept of "pairwise"
> identifiers that vary in value based on the identity of the relying
> party for a request. These are chiefly supported as values of SAML
> 2.0 NameIDs with a Format of
> "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
>
> The software implements policy controls intended to prevent a relying
> party from requesting a pairwise identifier in the namespace of a
> party other than itself or one for which it is authorized.
>
> A SAML AuthnRequest with certain content, combined with non-default
> settings or SAML metadata explicitly resulting in a response including
> a "persistent" NameID, can bypass the intended controls and disclose
> a pairwise value meant for a different relying party.
>
> This is a privacy exposure that can allow unintended correlation of
> user activity.
>
>
> Affected Versions
> =================
> Versions of the Identity Provider between V3.0.0 and V3.4.4
>
> Recommendations
> ===============
> Upgrade to Identity Provider V3.4.5 or later.
>
> A mitigating control is to review the relying parties for which the
> Identity Provider will apriori return a NameID with the "persistent"
> Format. This generally involves reviewing or limiting any sources of
> metadata containing a corresponding <md:NameIDFormat> element, or
> configurations in the relying-party.xml file containing the
> nameIDFormatPrecedence setting.
>
> References
> ==========
> URL for this Security Advisory
> http://shibboleth.net/community/advisories/secadv_20190918.txt
>
>
> Credits
> =======
> Takeshi Nishimura, GakuNin / National Institute of Informatics
More information about the users
mailing list