-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Service Provider Security Advisory [27 February 2018] 09 Mar Update: The commit containing the patch has been added to the advisory. An updated version of the Shibboleth Project's XMLTooling library is available which corrects a critical security issue. Shibboleth SP software vulnerable to additional data forgery flaws ==================================================================== The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws similar in nature to the one addressed in an advisory last month [1]. These bugs involve the use of other XML constructs rather than entity references, and therefore required additional mitigation once discovered. As with the previous issue, this flaw allows for changes to an XML document that do not break a digital signature but can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information. As before, the use of XML Encryption is a significant mitigation, but we have not dismissed the possibility that attacks on the Response "envelope" may be possible, in both the original and this new case. No actual attacks of this nature are known, so deployers should prioritize patching systems that expect to handle unencrypted SAML assertions. An updated version of XMLTooling-C (V1.6.4) is available [2] that protects against these new attacks, and should help prevent similar vulnerabilities in the future. Unlike the previous case, these bugs are NOT prevented by any existing Xerces-C parser version on any platform and cannot be addressed by any means other than the updated XMLTooling-C library. ALL supported (and unsupported) platforms are impacted by these bugs, including Windows, Linux, Solaris, and OS X. This vulnerability has been assigned CVE-2018-0489 and is referenced by a CERT Vulnerability Note at [3]. Recommendations =============== Upgrade to V1.6.4 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, etc.) Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. The MacPort has also been updated. Windows systems can upgrade to the latest Service Provider release (V2.6.1.4) which contains the appropriately updated libraries. [4] The commit containing the patch for this vulnerability can be found at https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=63418ce5a7db6f2cecc0beeb98bb6f1286781ae5 Credits ======= Kelby Ludwig, Duo Security Scott Cantor, Shibboleth Project [1] https://shibboleth.net/community/advisories/secadv_20180112.txt [2] https://shibboleth.net/downloads/c++-opensaml/2.6.1/ [3] https://www.kb.cert.org/vuls/id/475445 [4] https://shibboleth.net/downloads/service-provider/2.6.1/ URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20180227.txt -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqiuu8ACgkQN4uEVAIn eWLP8A/9FWJzpi2xdIcUor9o3f+JCGDKgZ3Fr2xIbMTehhrwh2+Sk/AcXeNGB7ju Iha1f1qy1qVG8L6bPIpHCAX4ky+8DECZx9rNPcKeZnKf7kj6FnPzgj6uzAb55BLx lRvuqpWyDWU8UQBYgBmkmUbJfDcU9NiclZkisPk7iveUs+DkCLFpY7MzFVi/S/HR dYBypyClPrIpR52E7vdyImqO0rtKX5xTOX8a/M9pDlJpvXSH+x8EPupGxgrdPYQ/ ImSS4zaKcJVlUXsvU3IZMl/99gukDoIZ0zoHmAsco9qqUhurlQ4uqjYPI2VYNQxn zm/41Po814tlIx0+VPZd2sZXFskTEv/vRMdWxOZ++YM9faz5fHdyuer114JDQzmx 3gOt70rXX8EYUCRmcqoNpWK0XBWd0UCNG94a2oHCwKjE/yS0lpPwOtSc91Wjc/FS lX7Gs6ZRa4/db6G9JpNOmry6XIZg5mYJCFrnkTXuX1Mr7IPUZv5e6md218ioKm5k LbnMmtxq/zhcnN3QNIPs5CQrD5yZ5qnQGVWM3kyBiaLUFiynAXNoctk3UUNscKrL sCLYuy5w1w7RdLt/Prk8UShpcPgRUX+5m/SJob0Lg3c2A4BH+Zx7Mq5vOzeHwnVa QQTL4ejz4NdmjjEfjnZi/EXSpy63Z5J49YLMP3fcalXvbyb/Srk= =CKeP -----END PGP SIGNATURE-----