Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0692 Shibboleth Service Provider Security Advisory [19 March 2015] 20 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Service Provider Publisher: Shibboleth Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-0252 Original Bulletin: http://shibboleth.net/community/advisories/secadv_20150319.txt - --------------------------BEGIN INCLUDED TEXT-------------------- Shibboleth Service Provider Security Advisory [19 March 2015] An updated version of the Shibboleth Service Provider software is now available which addresses a denial of service vulnerability. A denial of service vulnerability also exists in the Xerces-C XML parser used by the software. OpenSSL has also announced several similar vulnerabilities. Platforms on which Xerces-C V3.1.1 is an OS-supplied component, such as Red Hat 7, OpenSUSE 13, and others, will need to ensure their vendor has supplied an updated package to correct the issue. On all but Windows, deployers also need to ensure that a suitably patched version of OpenSSL is used. Shibboleth SP software crashes on malformed input messages =============================================================== The SP software contains an authenticated denial of service vulnerability that results in a crash on certain kinds of malformed SAML messages. The vulnerability is only triggered when special conditions are met and after a message or assertion signature has been verified, so exploitation requires a message produced under a trusted key, limiting the impact. More seriously, versions of the Apache Xerces-C XML parser prior to the just-released V3.1.2 also contain a vulnerability that causes a crash on malformed input documents. This crash occurs early in the parsing process and can be exploited by an unauthenticated attacker. The SP software is vulnerable to this issue when used with an affected Xerces-C library. The Xerces-C vulnerability has been published as CVE-2015-0252. OpenSSL also announced a large set of issues, mostly of a similar variety, some of which would potentially impact the SP software. A number of separate issues and CVEs are involved and a link to the advisories can be found below. Recommendations - - ----------------- Update to V2.5.4 or later of the Shibboleth SP software, and ensure that V3.1.2 or later of the Xerces-C library is used, and that an appropriately patched version of OpenSSL is used, generally either 1.0.2a, 1.0.1m, 1.0.0r, or 0.9.8zf or later. For Windows installations, V2.5.4 of the Shibboleth SP is now available and contains updates to several libraries, including these updates to both Xerces-C 3.1.2 and OpenSSL 1.0.2a. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fixes. Sites that rely on an OS-supplied version of Xerces-C V3.1.1 will need to contact their OS vendor for a fixed version, or manually build a new or patched version. All RPM platforms on which the OS- supplied version of Xerces-C is older than V3.1.0 are now built with Xerces-C V3.1.2 and this is included as a dependent package. Any use of Xerces-C V2.x is now unsupported, both by the Xerces Project itself and by the Shibboleth Project. Sites building from source will need to ensure that the Xerces-C, OpenSSL, and SP libraries and software are updated to remedy these issues. Credits - - --------- Thanks to Brett Slaughter of the University of Missouri for reporting the SP vulnerability. URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20150319.txt Other references: http://xerces.apache.org/xerces-c/secadv/CVE-2015-0252.txt http://openssl.org/news/secadv_20150319.txt - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVQuWsxLndAQH1ShLAQI04A/+K+xGGoG5wvjfhQ2RDQPcKZomrakIYYw+ wKzFSPjn9ElBEkNGItG9u0L0G+Ru2y2dPXpheV6Qr6V57E2q32DjZLSfvIcIpho7 Yj+Qvg93KF25RzderWpWhUOahcEM9OCRVyENJuRlatgU6vOCIL+fNZIT8rvh6IYv hZgkmm1z7WF4H/qMiH1Tvxqzo4kyqNH6IVq/xxswBt69uzmgR+GCsnisovh0JAA+ DEVUsyAGdJcSoKCoKyhr4slb8nX6C+nnR6UjImArr2jOEXYquSASOKacoI/edP1U SeVxGl3+dtfPn4+m3frZ1Kbpf4hCbrIb0o5HHAulgEWrmT9RNWJyoxHwgEJfyEnt dKnOT88FerootuejSJ/j5rXr8gk5orSyiHQl6bjVSL/wZGAUVsdjry31NiiK+bjq v9PoNJnkscKb/cXu4gdeR4KWKqvFWe65Eh0Gsb3iYt8Xmsu2391biFiULyvgr1yN 1krAauE/F1Na0fOiEECSw7XxrELgPiBzn6Puh+pHUAki+eCuWP7KI7Y/phH5ge8u K5bB+0bYEUQ9KbtsPd+HasWeoK8YCMTRCpxofA7ttQn2L08rLssEe2h4dtHBaT60 4hVIetbxHUU7EyYCOkQ9lErz9x/OytjBihTiHldvyVqaK4ODSkkpFgbaFlEe3ypA hxhORqBbCKw= =UV97 -----END PGP SIGNATURE-----