Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2508 Shibboleth Identity Provider Security Advisory [4 October 2017] 5 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Identity Provider Publisher: Shibboleth Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade Original Bulletin: http://shibboleth.net/community/advisories/secadv_20171004.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [4 October 2017] LDAP Data Connector insecure when using default JVM trust ========================================================= A flaw in the library used by the LDAP data connector [1] causes the connector to fail to validate the server certificate and leaves it vulnerable to man in the middle attacks under the following conditions: 1. The connection is via LDAPS (NOT StartTLS). 2. The connection's trust configuration is left to the default Java cacerts file, so-called default JVM trust. If your connector contains a trustFile attribute or a <StartTLSTrustCredential> element (which also applies to LDAPS connections), then it is not relying on default JVM trust and is not vulnerable. Affected Versions ================= Versions of the Identity Provider < 3.3.2 using ldaptive < 1.0.11. Recommendations =============== All deployers affected should take at least one, and preferably both, of the following steps: 1. Update to V3.3.2 to correct the flaw and to maintain use of a supported release. 2. Copy the server's certificate (or more typically a CA) to a file and reference it with the trustFile attribute. As a short term fix, you MAY obtain and replace the version of ldaptive inside the deployed warfile with the latest ldaptive version, but it's generally simpler to just do the first step above. Note that as of V3.3.2, the software will now warn in most cases if the default JVM trust approach is used in the LDAP connector, and a future version will no longer support this approach, as it continues to be a source of security problems. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20171004.txt Credits ======= Russell Ianniello, Australian Access Federation [1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlnU3fwACgkQN4uEVAIn eWIw7A//bQodkXcD+2xRq6iF88WoMNK6Q9Cr8kWH6ypiyRQfj1/kmL1KJgp348bK VtSm85pQNV35pz5pEOAJ4exW5Mo/R2fJ2Q3dpqv9Qdi/hlOzp2tCyQqSiigm8VMF ZeJjcofwY2PESV3x8v1KW8NCEsqc3RPedQJHlQ/9mLQI2fxgnH/z6BKp0u+fmTl4 WMRfTioEh0GXZpMj6qPWMIC28iBltSNx9Mzic6cTLcglHx4GhHEmkSobqHICLrKq +yUlnDbi8n04ghF//RBut9iBQkhCVwUQWxlWEhqasXRJT4PQGZjtE7aCOqk2XPP3 y6MOdBX0PojDqEX5I/kM4ZJQfTy6PWp32SHSMlP0NiDMQzlQmODc1DWQbWO/NGOk o+nWKQGhvmQl8GtRwtPoE5f8tjYHuC7iqW5fdw676OB4eU5DntLQofc61pXR33+o OrS8UtB0pGGe/TS5M77oYznJ1IqOWwIaDbHW3ykrN555uOCGFKaNmBL2MghHediZ h24TwkAv7bnXFJ+qR/WwOIWK2XgDIqybZv4L8FbzBaPYwkyPhpPLQNmh07cFxGCx DVK3+7C0iXYHycrjxptt1bFYqT+iCHRJg0IGJYVjJ+BD4q9o+p+BQNOdwnjyuE1E LkUyPuHfYDrhXJOysjQlFFKrufDdONeozlwoLQEff3zNpWGIn6c= =FXHy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWdWv/Ix+lLeg9Ub1AQgWfQ/6A/TBYT3QnwYX3wDHH1GtreP4N6m2uEQO ZMR+R5kxPtCPmJO297vX9fmEeT8uR1UmoKNhojyukHCSwz8gOwmv6PWyXanoP1cg AQU27O/yje3l7o2BUVyJ/XIBUeNNWIZr78EieyRsl6GqUZaoLyI4e11cX2UJkHyn 8k0DCmC+ybxqVgUWkRE8lWXRvt7EHNcq+nj6Nd0g+SwwaL9fHhyZQg4n+91/QGY0 vLHiok/JlFy9F7+dZ9Yh+kedTTvmu9P7Utqgv6qffQWems7pwyZKJ8Gvag6T9jK7 8+1hU00VTe4uDz/KdZMsVod/BYSQwBHx7hvjDUm6azoWxOSPDtBgMjSosdHE2tA0 b6lD1I0I2ML2vLGIuGXPSZ5Egr5WUtYI/i+d/g6Ufvne//8LNHiRvfxCrGgEZEKP V7+brxpXbbzK6mz3fanvXrBWteoI6RghoyjTUvUtSYs/9OX12Mvc/+sD6tTSxN+S WLOYjvjqrzc6rKJNKNCwDB/W01E03P3+cOD/Q7eiEYvfUceAb0kiEN5dCJzUx8vV mtRW9OGFFMxSwo0JDZofVtQVJrV3ciy5grjP3CKk7hCTb+eDvycP4hPLdCPxgjtd JuM950B1R75EOtKLoV/2pgAAM2lAhG9U8O+j/ZuJgP4oDZrk6RvadgrzUZjixFNd HEsZ3sIpk4U= =ZXtJ -----END PGP SIGNATURE-----