Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

       Shibboleth Service Provider Security Advisory [19 March 2015]
                               20 March 2015


        AusCERT Security Bulletin Summary

Product:           Shibboleth Service Provider
Publisher:         Shibboleth
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0252  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Shibboleth Service Provider Security Advisory [19 March 2015]

An updated version of the Shibboleth Service Provider software
is now available which addresses a denial of service vulnerability.

A denial of service vulnerability also exists in the Xerces-C XML
parser used by the software.

OpenSSL has also announced several similar vulnerabilities.

Platforms on which Xerces-C V3.1.1 is an OS-supplied component,
such as Red Hat 7, OpenSUSE 13, and others, will need to ensure
their vendor has supplied an updated package to correct the issue.

On all but Windows, deployers also need to ensure that a suitably
patched version of OpenSSL is used.

Shibboleth SP software crashes on malformed input messages
The SP software contains an authenticated denial of service
vulnerability that results in a crash on certain kinds of malformed
SAML messages. The vulnerability is only triggered when special
conditions are met and after a message or assertion signature
has been verified, so exploitation requires a message produced
under a trusted key, limiting the impact.

More seriously, versions of the Apache Xerces-C XML parser
prior to the just-released V3.1.2 also contain a vulnerability
that causes a crash on malformed input documents. This crash
occurs early in the parsing process and can be exploited by
an unauthenticated attacker. The SP software is vulnerable
to this issue when used with an affected Xerces-C library.

The Xerces-C vulnerability has been published as CVE-2015-0252.

OpenSSL also announced a large set of issues, mostly of a similar
variety, some of which would potentially impact the SP software.
A number of separate issues and CVEs are involved and a link to
the advisories can be found below.

- - -----------------
Update to V2.5.4 or later of the Shibboleth SP software, and
ensure that V3.1.2 or later of the Xerces-C library is used,
and that an appropriately patched version of OpenSSL is used,
generally either 1.0.2a, 1.0.1m, 1.0.0r, or 0.9.8zf or later.

For Windows installations, V2.5.4 of the Shibboleth SP is now
available and contains updates to several libraries, including these
updates to both Xerces-C 3.1.2 and OpenSSL 1.0.2a.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fixes.

Sites that rely on an OS-supplied version of Xerces-C V3.1.1 will
need to contact their OS vendor for a fixed version, or manually
build a new or patched version. All RPM platforms on which the OS-
supplied version of Xerces-C is older than V3.1.0 are now built
with Xerces-C V3.1.2 and this is included as a dependent package.
Any use of Xerces-C V2.x is now unsupported, both by the Xerces
Project itself and by the Shibboleth Project.

Sites building from source will need to ensure that the Xerces-C,
OpenSSL, and SP libraries and software are updated to remedy these

- - ---------
Thanks to Brett Slaughter of the University of Missouri for
reporting the SP vulnerability.

URL for this Security Advisory:

Other references:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967