-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [4 October 2017] LDAP Data Connector insecure when using default JVM trust ========================================================= A flaw in the library used by the LDAP data connector [1] causes the connector to fail to validate the server certificate and leaves it vulnerable to man in the middle attacks under the following conditions: 1. The connection is via LDAPS (NOT StartTLS). 2. The connection's trust configuration is left to the default Java cacerts file, so-called default JVM trust. If your connector contains a trustFile attribute or a element (which also applies to LDAPS connections), then it is not relying on default JVM trust and is not vulnerable. Affected Versions ================= Versions of the Identity Provider < 3.3.2 using ldaptive < 1.0.11. Recommendations =============== All deployers affected should take at least one, and preferably both, of the following steps: 1. Update to V3.3.2 to correct the flaw and to maintain use of a supported release. 2. Copy the server's certificate (or more typically a CA) to a file and reference it with the trustFile attribute. As a short term fix, you MAY obtain and replace the version of ldaptive inside the deployed warfile with the latest ldaptive version, but it's generally simpler to just do the first step above. Note that as of V3.3.2, the software will now warn in most cases if the default JVM trust approach is used in the LDAP connector, and a future version will no longer support this approach, as it continues to be a source of security problems. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20171004.txt Credits ======= Russell Ianniello, Australian Access Federation [1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlnU3fwACgkQN4uEVAIn eWIw7A//bQodkXcD+2xRq6iF88WoMNK6Q9Cr8kWH6ypiyRQfj1/kmL1KJgp348bK VtSm85pQNV35pz5pEOAJ4exW5Mo/R2fJ2Q3dpqv9Qdi/hlOzp2tCyQqSiigm8VMF ZeJjcofwY2PESV3x8v1KW8NCEsqc3RPedQJHlQ/9mLQI2fxgnH/z6BKp0u+fmTl4 WMRfTioEh0GXZpMj6qPWMIC28iBltSNx9Mzic6cTLcglHx4GhHEmkSobqHICLrKq +yUlnDbi8n04ghF//RBut9iBQkhCVwUQWxlWEhqasXRJT4PQGZjtE7aCOqk2XPP3 y6MOdBX0PojDqEX5I/kM4ZJQfTy6PWp32SHSMlP0NiDMQzlQmODc1DWQbWO/NGOk o+nWKQGhvmQl8GtRwtPoE5f8tjYHuC7iqW5fdw676OB4eU5DntLQofc61pXR33+o OrS8UtB0pGGe/TS5M77oYznJ1IqOWwIaDbHW3ykrN555uOCGFKaNmBL2MghHediZ h24TwkAv7bnXFJ+qR/WwOIWK2XgDIqybZv4L8FbzBaPYwkyPhpPLQNmh07cFxGCx DVK3+7C0iXYHycrjxptt1bFYqT+iCHRJg0IGJYVjJ+BD4q9o+p+BQNOdwnjyuE1E LkUyPuHfYDrhXJOysjQlFFKrufDdONeozlwoLQEff3zNpWGIn6c= =FXHy -----END PGP SIGNATURE-----