-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [19 March 2015] An updated version of the Shibboleth Service Provider software is now available which addresses a denial of service vulnerability. A denial of service vulnerability also exists in the Xerces-C XML parser used by the software. OpenSSL has also announced several similar vulnerabilities. Platforms on which Xerces-C V3.1.1 is an OS-supplied component, such as Red Hat 7, OpenSUSE 13, and others, will need to ensure their vendor has supplied an updated package to correct the issue. On all but Windows, deployers also need to ensure that a suitably patched version of OpenSSL is used. Shibboleth SP software crashes on malformed input messages =============================================================== The SP software contains an authenticated denial of service vulnerability that results in a crash on certain kinds of malformed SAML messages. The vulnerability is only triggered when special conditions are met and after a message or assertion signature has been verified, so exploitation requires a message produced under a trusted key, limiting the impact. This vulnerability has been published as CVE-2015-2684. More seriously, versions of the Apache Xerces-C XML parser prior to the just-released V3.1.2 also contain a vulnerability that causes a crash on malformed input documents. This crash occurs early in the parsing process and can be exploited by an unauthenticated attacker. The SP software is vulnerable to this issue when used with an affected Xerces-C library. The Xerces-C vulnerability has been published as CVE-2015-0252. OpenSSL also announced a large set of issues, mostly of a similar variety, some of which would potentially impact the SP software. A number of separate issues and CVEs are involved and a link to the advisories can be found below. Recommendations =============== Update to V2.5.4 or later of the Shibboleth SP software, and ensure that V3.1.2 or later of the Xerces-C library is used, and that an appropriately patched version of OpenSSL is used, generally either 1.0.2a, 1.0.1m, 1.0.0r, or 0.9.8zf or later. For Windows installations, V2.5.4 of the Shibboleth SP is now available and contains updates to several libraries, including these updates to both Xerces-C 3.1.2 and OpenSSL 1.0.2a. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fixes. Sites that rely on an OS-supplied version of Xerces-C V3.1.1 will need to contact their OS vendor for a fixed version, or manually build a new or patched version. All RPM platforms on which the OS- supplied version of Xerces-C is older than V3.1.0 are now built with Xerces-C V3.1.2 and this is included as a dependent package. Any use of Xerces-C V2.x is now unsupported, both by the Xerces Project itself and by the Shibboleth Project. Sites building from source will need to ensure that the Xerces-C, OpenSSL, and SP libraries and software are updated to remedy these issues. Credits ======= Thanks to Brett Slaughter of the University of Missouri for reporting the SP vulnerability. URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20150319.txt Other references: http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt http://openssl.org/news/secadv_20150319.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVGFVMAAoJEDeLhFQCJ3licSAQAMagRO5EmFB2rezHrspbwdXm N05tSMtETD9WH96fVHICEdgwoh+XMmgu4jLhbVyyOU8dAE4znmqHsZ+H2XSj+tjQ EAsWtmeaBjnDH6DlwslpIf/7dwrdzAyaxSFQy9zZss/wKq2bVJYU5aI7MX/aMTvl fvqeVKffwnxroPafML30peVAEtJIcQPS5uDwp210bI9ePct9+T2kfpxZTm7KgIMF VjgU9FERRsDjbqn61Yfd1dmGjEdH4dLzCPMAWHgNbOJBlsUkEuLO6Wbwby7sDfkB Ky5u9eWucTrTjrgWRu7kVPlae2m4vhzQJUAYl2jxYBnde+c+NA+w/jce3Nofiq6K NsTJNlRD5dXFchy8iBMXV3yC5zka3X0myg58s60sn3uVhDShuSIeYmUpv+6FTe7n 0pcq4llcmyC3YQjdCfQ1TEJNXelEdb//leoCPxbRMuN+srVQWLrVcjfDVRo5iCXx 6X7qJ9oHoN8Yx3Sm910xjsVR8WXKyJfU6FRTwy+4B+U+bwznFs9qS3M0YF1syd/v DiJMVO6+Zhczme2tpB7VEwGU0IPcGMWxlnVyrBxgIYianf2Tm6CNSCKv/W5wohxw 7kRlFnJ8lusVx9VFASYUb21OODrmLwx1c+KNUAY69tJ336S5LwY37Y40mCUuKlGX BE/NNH4T8wTXENe/5xF7 =co64 -----END PGP SIGNATURE-----