On September 7th, the SimpleSAMLphp (SSP) team announced the general availability of SimpleSAMLphp 1.16.1. This is a major new release of SSP which includes over 10 months of cumulative work to improve the package. With this update IDM Integration is recommending that all SSP deployers update immediately.

If you’re unfamiliar with SSP it’s a robust package for adding SAML support to PHP applications. It also includes a PHP-based Identity Provider package that allows for a rapid IDP deployment.

The 1.16.x branch of SSP includes several major changes, include the following most noteworthy items:

• Setting the default signature algorithm is now RSA-SHA256,
• PHP 7.2 compatibility,
• Updated translation, and
• Further improvements to documentation, tests suite, and code quality.

Need help with upgrading?

IDM Integration has a full complement of well-qualified SAML engineers who are experts with SimpleSAMLphp and other major SAML packages, so contact us today!

New versions of the Jetty java servlet engine have been released for the 9.2.x, 9.3.x, and 9.4.x branches. These versions address five security vulnerabilities.

As a result, all deployers of the Shibboleth Identity Provider software utilizing Jetty (the default in IdP 3.0+) must deploy these updates.

Please note that these security vulnerabilities do NOT impact Shibboleth Service Providers.

For Linux

If you have deployed Shibboleth IdP on Linux using the recommended instructions, you will need to manually redeploy Jetty to ensure that you are running the latest version of either Jetty 9.2 or 9.3:

9.2.x – 9.2.25.v20180606 or later
9.3.x – 9.3.24.v20180605 or later

Please note that these security vulnerabilities do NOT impact Shibboleth Identity Providers deployed using the Tomcat Servlet Engine.

For Windows

The Shibboleth Consortium has announced a Windows -only service release for Shibboleth Identity Provider (IdP) taking the latest version of the IdP for Windows to v. 3.3.3.1.

This service update deploys a new version of Jetty which corrects the vulnerabilities outlined in the security advisory.

The update can be downloaded here.

Nature of the Vulnerabilities

The vulnerabilities are with various components of the Jetty Servlet Engine. For more information on the scope of the vulnerabilities, see the official announcement posting on the Jetty forums.

Need help?

BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!

The Shibboleth Consortium announced today a security advisory for  Shibboleth Identity Provider (IdP). Also announced was a new release of the Shibboleth Identity Provider (v. 3.3.3), which corrects the vulnerabilities outlined in the security advisory. This update can be downloaded here.

You can view the full text of the advisory here.

Please note that this security advisory does NOT impact Shibboleth Service Providers.

Nature of the Vulnerability

The vulnerability is related to how Shibboleth Identity Provider — when configured to act as a Central Authentication Service (CAS) server — issues CAS tickets. In particular, the default method for generating these tickets “creates a risk of issuing duplicate ticket identifiers in some cases” due to a weak random number generator.

A duplicate ticket identifier could result in a user usurping another users active, valid session.

Are you vulnerable?

Your Identity Provider is vulnerable if and only if:

1. Your Identity Provider is configured to act as a CAS server using the built-in CAS functionality of Shibboleth IdP v3+, AND
2. You have configured ticket generation using the (default) SimpleTicketService method.

Please note that the Shibboleth Identity Provider does use the SimpleTicketService ticket generation by default, so it’s imperative to verify your configuration if you use the CAS functionality within Shibboleth.

We encourage your to check your Shibboleth configuration. The file conf/cas-protocol.xml contains all configuration for the CAS protocol support within Shibboleth.

If you are using the SimpleTicketService it is critical that you apply this patch immediately.

We recommend that all deployers — regardless of known, specific vulnerability — update to Identity Provider v. 3.3.3 during the soonest available maintenance window.

Need help?

BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!

The Shibboleth Consortium announced today a security advisory for all versions of Shibboleth Service Provider (SP).

Please note that this security advisory does NOT impact Shibboleth Identity Providers (IdP). 

According to the security advisory the problem exists due to the version of the XMLTooling-C library used by Shibboleth. This library is used by Shibboleth to parse the XML content of the SAML Assertions that are posted to the service provider. The issues:

“make it impossible to fully disable Document Type Definition (DTD) processing.”

“Through addition/manipulation of a DTD, it’s possible to make changes to an XML document that do not break a digital signature but are mishandled by the SP and its libraries. These manipulations can alter the user data passed through to applications behind the SP and result in impersonation attacks and exposure of protected information.”

Therefore this vulnerability can result in a malicious user modifying a SAML assertion.

Are you vulnerable?

Some platforms are more vulnerable than others; for example Windows systems have a version of the XMLTooling which has DTD-specification disabled. Linux (and Mac) systems running Shibboleth SP, however, currently appear to be vulnerable.

If you are not using the Shibboleth SP v2.6.1 we recommend immediately updating.

Furthermore, if you are using the 2.6.1 release of Shibboleth, please ensure that your XMLTooling libraries are up-to-date.

For Red Hat/CentOS, we recommend using the official Shibboleth Repositories.  To see a list of all packages which need updating within this repo:

$ sudo yum --disablerepo='*' --enablerepo='security_shibboleth' list available

Non-RPM-based installations will need to manually update to v.1.6.3 of the XMLTooling-C library.

Need help?

BCS Engineering is always available to assist with emergency patching, or with planning for updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Engineers regarding your SSO environment today!

The Shibboleth Consortium announced today a security advisory for all versions of Shibboleth Identity Provider (IdP). Also announced was a new release of the Shibboleth Identity Provider (v. 3.3.2), which corrects the vulnerabilities outlined in the security advisory. This update can be downloaded here. View the full text of the advisory here.

Please note that this security advisory does NOT impact Shibboleth Service Providers.

According to the security advisory the vulnerability exists due to a flaw with the library used by Shibboleth to provide authentication against and attribute resolution from LDAP servers. According to the advisory, Shibboleth Identity Providers prior to v. 3.3.2 are vulnerable if and only if:

1. The connection is via LDAPS (NOT StartTLS).
2. The connection’s trust configuration is left to the default Java cacerts file, so-called default JVM trust.

Are you vulnerable?

You can relatively quickly gauge whether your IdP is vulnerable; simply examine the “ldap.properties” file located in your Shibboleth Identity Provider configuration directory. Look for the lines:

idp.authn.LDAP.useStartTLS = false 
idp.authn.LDAP.sslConfig = jvmTrust 

If your configuration matches this, then we strongly encourage updating your Identity Provider to the latest release as soon as possible.

Please note that the Shibboleth Identity Provider does not use the settings described by the security advisory by default. Therefore, unless your specific configuration calls for use of the default JVM Trust, it is unlikely that your particular Identity Provider is vulnerable.

However, we recommend that all deployers — regardless of known, specific vulnerability — update to Identity Provider v. 3.3.2 during the soonest available maintenance window.

Need help?

BCS Engineering is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!