Courtesy Security Advisory for Shibboleth Identity Provider v2 and OpenSAML v2

Brent Putman putmanb at georgetown.edu
Sat Sep 19 01:42:28 UTC 2020


This is a courtesy security advisory for the Shibboleth Identity 
Provider v2 and OpenSAML v2.  Both projects reached end-of-life in July 
2016.  We are sending this announcement as a courtesy for anyone who 
may still be using this very old and unsupported software.  v3 and 
newer of both software packages are unaffected by this issue.

The org.opensaml.xml.util.Base64 support class found in java-xmltooling 
(component of OpenSAML v2) is subject to a gzip bomb DoS memory 
exhaustion attack if very large Base64 and gzipped data is decoded.

For technical details see the Jira issue [1].

OpenSAML v2 users who are using this class directly are advised at a 
minimum to switch to a different Base64 implementation.

For Identity Provider v2 users, there is no workaround.

For both projects a different Base64 implementation was used starting 
with v3.0, so no modern and supported versions of the software are 
affected.

In general, if you are using v2 of either software package it is of 
course strongly recommended to upgrade to a modern supported version.

Thanks,
Brent

[1] https://issues.shibboleth.net/jira/browse/JXT-126

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/announce/attachments/20200918/02befa02/attachment.htm>


More information about the announce mailing list