The Shibboleth Consortium announced today a security advisory for all versions of Shibboleth Identity Provider (IdP). Also announced was a new release of the Shibboleth Identity Provider (v. 3.3.2), which corrects the vulnerabilities outlined in the security advisory. This update can be downloaded here. View the full text of the advisory here.
Please note that this security advisory does NOT impact Shibboleth Service Providers.
According to the security advisory the vulnerability exists due to a flaw with the library used by Shibboleth to provide authentication against and attribute resolution from LDAP servers. According to the advisory, Shibboleth Identity Providers prior to v. 3.3.2 are vulnerable if and only if:
1. The connection is via LDAPS (NOT StartTLS).
2. The connection’s trust configuration is left to the default Java cacerts file, so-called default JVM trust.
Are you vulnerable?
You can relatively quickly gauge whether your IdP is vulnerable; simply examine the “ldap.properties” file located in your Shibboleth Identity Provider configuration directory. Look for the lines:
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.sslConfig = jvmTrust
If your configuration matches this, then we strongly encourage updating your Identity Provider to the latest release as soon as possible.
Please note that the Shibboleth Identity Provider does not use the settings described by the security advisory by default. Therefore, unless your specific configuration calls for use of the default JVM Trust, it is unlikely that your particular Identity Provider is vulnerable.
However, we recommend that all deployers — regardless of known, specific vulnerability — update to Identity Provider v. 3.3.2 during the soonest available maintenance window.
BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!