-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0692
       Shibboleth Service Provider Security Advisory [19 March 2015]
                               20 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Shibboleth Service Provider
Publisher:         Shibboleth
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0252  

Original Bulletin: 
   http://shibboleth.net/community/advisories/secadv_20150319.txt

- --------------------------BEGIN INCLUDED TEXT--------------------

Shibboleth Service Provider Security Advisory [19 March 2015]

An updated version of the Shibboleth Service Provider software
is now available which addresses a denial of service vulnerability.

A denial of service vulnerability also exists in the Xerces-C XML
parser used by the software.

OpenSSL has also announced several similar vulnerabilities.

Platforms on which Xerces-C V3.1.1 is an OS-supplied component,
such as Red Hat 7, OpenSUSE 13, and others, will need to ensure
their vendor has supplied an updated package to correct the issue.

On all but Windows, deployers also need to ensure that a suitably
patched version of OpenSSL is used.


Shibboleth SP software crashes on malformed input messages
===============================================================
The SP software contains an authenticated denial of service
vulnerability that results in a crash on certain kinds of malformed
SAML messages. The vulnerability is only triggered when special
conditions are met and after a message or assertion signature
has been verified, so exploitation requires a message produced
under a trusted key, limiting the impact.

More seriously, versions of the Apache Xerces-C XML parser
prior to the just-released V3.1.2 also contain a vulnerability
that causes a crash on malformed input documents. This crash
occurs early in the parsing process and can be exploited by
an unauthenticated attacker. The SP software is vulnerable
to this issue when used with an affected Xerces-C library.

The Xerces-C vulnerability has been published as CVE-2015-0252.

OpenSSL also announced a large set of issues, mostly of a similar
variety, some of which would potentially impact the SP software.
A number of separate issues and CVEs are involved and a link to
the advisories can be found below.

Recommendations
- - -----------------
Update to V2.5.4 or later of the Shibboleth SP software, and
ensure that V3.1.2 or later of the Xerces-C library is used,
and that an appropriately patched version of OpenSSL is used,
generally either 1.0.2a, 1.0.1m, 1.0.0r, or 0.9.8zf or later.

For Windows installations, V2.5.4 of the Shibboleth SP is now
available and contains updates to several libraries, including these
updates to both Xerces-C 3.1.2 and OpenSSL 1.0.2a.

Linux installations relying on official RPM packages can upgrade to
the latest package versions to obtain the fixes.

Sites that rely on an OS-supplied version of Xerces-C V3.1.1 will
need to contact their OS vendor for a fixed version, or manually
build a new or patched version. All RPM platforms on which the OS-
supplied version of Xerces-C is older than V3.1.0 are now built
with Xerces-C V3.1.2 and this is included as a dependent package.
Any use of Xerces-C V2.x is now unsupported, both by the Xerces
Project itself and by the Shibboleth Project.

Sites building from source will need to ensure that the Xerces-C,
OpenSSL, and SP libraries and software are updated to remedy these
issues.

Credits
- - ---------
Thanks to Brett Slaughter of the University of Missouri for
reporting the SP vulnerability.

URL for this Security Advisory:
http://shibboleth.net/community/advisories/secadv_20150319.txt

Other references:
http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt
http://openssl.org/news/secadv_20150319.txt

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVQuWsxLndAQH1ShLAQI04A/+K+xGGoG5wvjfhQ2RDQPcKZomrakIYYw+
wKzFSPjn9ElBEkNGItG9u0L0G+Ru2y2dPXpheV6Qr6V57E2q32DjZLSfvIcIpho7
Yj+Qvg93KF25RzderWpWhUOahcEM9OCRVyENJuRlatgU6vOCIL+fNZIT8rvh6IYv
hZgkmm1z7WF4H/qMiH1Tvxqzo4kyqNH6IVq/xxswBt69uzmgR+GCsnisovh0JAA+
DEVUsyAGdJcSoKCoKyhr4slb8nX6C+nnR6UjImArr2jOEXYquSASOKacoI/edP1U
SeVxGl3+dtfPn4+m3frZ1Kbpf4hCbrIb0o5HHAulgEWrmT9RNWJyoxHwgEJfyEnt
dKnOT88FerootuejSJ/j5rXr8gk5orSyiHQl6bjVSL/wZGAUVsdjry31NiiK+bjq
v9PoNJnkscKb/cXu4gdeR4KWKqvFWe65Eh0Gsb3iYt8Xmsu2391biFiULyvgr1yN
1krAauE/F1Na0fOiEECSw7XxrELgPiBzn6Puh+pHUAki+eCuWP7KI7Y/phH5ge8u
K5bB+0bYEUQ9KbtsPd+HasWeoK8YCMTRCpxofA7ttQn2L08rLssEe2h4dtHBaT60
4hVIetbxHUU7EyYCOkQ9lErz9x/OytjBihTiHldvyVqaK4ODSkkpFgbaFlEe3ypA
hxhORqBbCKw=
=UV97
-----END PGP SIGNATURE-----