-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


Shibboleth Service Provider Security Advisory [15 November 2017]

An updated version of the Shibboleth Service Provider software
is available which corrects a critical security issue in the
"Dynamic" metadata provider plugin.

Deployers making use of the affected feature should apply the
relevant update at the soonest possible moment.

The CVE assigned to this issue is CVE-2017-16852.

Dynamic MetadataProvider fails to install security filters
============================================================
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of downloading
aggregates separately containing all of the metadata to load.

All the plugin types rely on MetadataFilter plugins to perform critical
security checks such as signature verification, enforcement of validity
periods, and other checks specific to deployments.

Due to a coding error, the "Dynamic" plugin fails to configure itself
with the filters provided to it and thus omits whatever checks they are
intended to perform, which will typically leave deployments vulnerable
to active attacks involving the substitution of metadata if the network
path to the query service is compromised.

Affected Systems
==================
All versions of the Service Provider software prior to V2.6.1 contain
this vulnerability.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of this feature until the upgrade is done.

Service Provider Deployer Recommendations
===========================================
Upgrade to V2.6.1 or later of the Service Provider and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively.

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you may consider building from source for your own use as an interim
step.

The patch commit that corrects this issue can be found at [1].

Additional Recommendations for Federation Operators
=====================================================
Operators of metadata query services in support of this feature may
wish to consider implementing security checks after a suitable upgrade
window has elapsed to prevent use of affected versions or follow up
with deployers. The User Agent string in requests to the service
will contain the version of the software.

Note Regarding OpenSAML Library
=================================
An identical issue exists in the DynamicMetadataProvider class in
the OpenSAML-C library in all versions prior to V2.6.1. Applications
making direct use of this library must be independently updated to
correct this vulnerability, but this fix does not correct the issue
with respect to the use of the Shibboleth SP.

The patch commit that corrects the OpenSAML issue can be found at [2].

The CVE assigned to this issue is CVE-2017-16853.

Credits
=========
Rod Widdowson, Steading System Software LLP

[1] https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;
h=b66cceb0e992c351ad5e2c665229ede82f261b16

[2] https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;
h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20171115.txt

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAloOLM8ACgkQN4uEVAIn
eWKAuw/+NNjjJABle0cjtNCv/K1int3RHIsrtIb5ea+5PYzddZjvP8hP+ZelewjG
9Q+fTWY/V28i3sOxlMAmH9OR4iGz8MptHMR3dW95uWe9Ibp1CpKtLPU6FZoiVIAh
vM3JxPTf8giwlMgTy8Pw/G+wdzL5vAw65dBFLz2vFnCQ3R0rMS2gQ0xS7oWSrxp1
nwWGquryuSW4HaoBKKyGDsRRHgw95CKtIBeqPqnEWzna5zu1a5K26c0ofL5FMGNB
EZjkhz1lcxNwv3Dy7wffhgd9n27rtLG5tiSIYk4jmG4K5Iv8TgROJwcVuUd+GJ9X
QQys4bYgt7XGmxVZQENpIhsF2PyRsNChld9eOPsuiNxsmQ40BgajDFWFpQcaiJse
3XE34iX0H6LiZnpHp4mMhR9XiOxOWLGCuA2SZUML+nFsiUuKKAEJ8uZwwexnzKrm
fkqzWAk0ZtFDuZIqFui38T52chJnMEnp6chz53j2nVul9CKTYcvaHzXXshY57LgT
NOIBHm1oE1ie5TxsOGgNBY4H6dZgQnNE917gg1gBHOdb1xyFg2MYd53oi54YNmLY
xF7BE0JkJSaYdm8pE8CaSMennysH/Yz4CU9fUeF6rN3eRj9+KZYajIP9YM77aCSm
uG0aqYPIfz109D6AQQE+qKzAUrlEEFLM2XYE5N2BweaJI19JQ7E=
=MfKu
-----END PGP SIGNATURE-----