The Shibboleth Consortium announced today a security advisory for Shibboleth Identity Provider (IdP). Also announced was a new release of the Shibboleth Identity Provider (v. 3.3.3), which corrects the vulnerabilities outlined in the security advisory. This update can be downloaded here.
You can view the full text of the advisory here.
Please note that this security advisory does NOT impact Shibboleth Service Providers.
Nature of the Vulnerability
The vulnerability is related to how Shibboleth Identity Provider — when configured to act as a Central Authentication Service (CAS) server — issues CAS tickets. In particular, the default method for generating these tickets “creates a risk of issuing duplicate ticket identifiers in some cases” due to a weak random number generator.
A duplicate ticket identifier could result in a user usurping another users active, valid session.
Are you vulnerable?
Your Identity Provider is vulnerable if and only if:
- Your Identity Provider is configured to act as a CAS server using the built-in CAS functionality of Shibboleth IdP v3+, AND
- You have configured ticket generation using the (default) SimpleTicketService method.
Please note that the Shibboleth Identity Provider does use the SimpleTicketService ticket generation by default, so it’s imperative to verify your configuration if you use the CAS functionality within Shibboleth.
We encourage your to check your Shibboleth configuration. The file conf/cas-protocol.xml contains all configuration for the CAS protocol support within Shibboleth.
If you are using the SimpleTicketService it is critical that you apply this patch immediately.
We recommend that all deployers — regardless of known, specific vulnerability — update to Identity Provider v. 3.3.3 during the soonest available maintenance window.
BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!