New versions of the Jetty java servlet engine have been released for the 9.2.x, 9.3.x, and 9.4.x branches. These versions address five security vulnerabilities.
As a result, all deployers of the Shibboleth Identity Provider software utilizing Jetty (the default in IdP 3.0+) must deploy these updates.
Please note that these security vulnerabilities do NOT impact Shibboleth Service Providers.
If you have deployed Shibboleth IdP on Linux using the recommended instructions, you will need to manually redeploy Jetty to ensure that you are running the latest version of either Jetty 9.2 or 9.3:
Please note that these security vulnerabilities do NOT impact Shibboleth Identity Providers deployed using the Tomcat Servlet Engine.
The Shibboleth Consortium has announced a Windows -only service release for Shibboleth Identity Provider (IdP) taking the latest version of the IdP for Windows to v. 126.96.36.199.
This service update deploys a new version of Jetty which corrects the vulnerabilities outlined in the security advisory.
The update can be downloaded here.
Nature of the Vulnerabilities
The vulnerabilities are with various components of the Jetty Servlet Engine. For more information on the scope of the vulnerabilities, see the official announcement posting on the Jetty forums.
BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!