-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [12 January 2018] An updated version of the Shibboleth Project's XMLTooling library is available which corrects a critical security issue. Shibboleth SP software vulnerable to forged user attribute data ==================================================================== The Service Provider software relies on a generic XML parser to process SAML responses and there are limitations in older versions of the parser that make it impossible to fully disable Document Type Definition (DTD) processing. Through addition/manipulation of a DTD, it's possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. While the use of XML Encryption can serve as a mitigation for this bug, it may still be possible to construct attacks in such cases, and the SP does not provide a means to enforce its use. An updated version of XMLTooling-C (V1.6.3) is available that works around this specific bug. While newer versions of the parser are configured by the SP into disallowing the use of a DTD via an environment variable, this feature is not present in the parser used on some supported platforms (notably Red Hat and CentOS 7), so an additional fix is being provided now that an actual DTD exploit has been identified. While it is possible to determine whether one is already immune to this bug, the installation of this patch is a simpler step, and strongly encouraged. Notably, however "current" Windows installs of V2.6.0 and later are *not* impacted by the bug, so this patch can be treated as lower priority on that platform. This vulnerability has been assigned CVE-2018-0486. Recommendations =============== Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, etc.) Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. The MacPort has also been updated. Windows systems can upgrade to the latest Service Provider release (V2.6.1.3) which contains the appropriately updated libraries. [1] Credits ======= RedTeam Pentesting [1] https://shibboleth.net/downloads/service-provider/2.6.1/ URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20180112.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlpdObAACgkQN4uEVAIn eWLb/w/+KxKaipf/PYP8vhDu1TOE25bsBO/33cQ15k+W4deGW7NadsJibSlDGRDo t6SYpStSGBGxM3nLp/a3kTtPAXuyim6htDSJPdbHbiPVHCXw7weqtuqql0PMYw2d xuWFpIyTpBF16pRNesi0x+lGZyOXyWlfB6oPc9a2+1iTQNCOkgctokLEoW6teVl9 edagaeAfzqhUvjtzbK9y76kyrHKlntHVjqOtduG1yPy8EP/Dfn0uzy3dzV7Mftxo VItBOqQlD5TZulSM3XrFckqpfaaK9VdE3YDK3a0IpxDfEpP1yBoKB4ZCOE6ZskuL k+HJnRExyf9C777p5uv1IuUszpnWp4jjEWW+aR0HKH40tOc9HA9+R12uxSxJQ6v+ f83woafg8hfohZxDGX9h5fJsici9+fLaAAb75gXjtihG9HlmTGCE+bESX14Bco/p 2T961PMZ7xes/D9ifZ3huT7C8U2Voa6dREzF3senr+VTkPUd6yRB9qJdyFD4/1nu tIkR8jvicLczFVvJhA4diDO4QSXF9YX5PtuVG2i9s4G/GazXuVwroPjar8E+54vm P6aL87d8tFU5j270rt6xzIhrcNBrrLMIQvAAFhtgLMBGkIRD8plZRrbB71Gb5Q/M 5fh6S+5O67S/b6HW+Ph4IsqYOqr8ZV9chcAmX8rIIN7a1JDb3lQ= =AYum -----END PGP SIGNATURE-----