Shibboleth Identity Provider Security Advisory 4th October 2017

Posted on Wednesday, 4 October 2017

A security advisory [1] has been released for the Shibboleth v3 Identity Provider that involves deployments connecting to an organisational directory service over LDAPS and relying on the jvmTrust setting. The issue could result in a Man In The Middle attack between the directory service and the IdP. Also, a patch release of the Shibboleth IdP (v3.3.2) has been released which fixes this issue [2]. Other important information can be found in the release notes which should be reviewed when upgrading. [3]

  • If you are not using LDAPS to connect to your LDAP/Active Directory, then your deployment is not affected.
  • If you are using LDAPS, and you have explicitly configured the LDAP/Active Directory's server certificate in ldap.properties, then your deployment is not affected.
  • If you are still running a Shibboleth v2 Identity Provider, then your deployment is not affected, but we remind you that the Shibboleth v2 Identity Provider has been End Of Life since July 31st 2016 and you should upgrade to supported software as soon as possible.

If your deployment is affected, then the advisory describes a workaround, although upgrading to v3.3.2 is the recommended solution.

As such, all UK federation members with on-premises Shibboleth Identity Provider software deployments are encouraged to migrate to the new release, v3.3.2, as soon as possible. This release is now the current stable release of the Shibboleth IdP, and therefore all earlier releases are unsupported by the Shibboleth Project.

Please contact the UK federation service desk (service@ukfederation.org.uk) if you have any questions about this announcement or require help or guidance on upgrading your software.

[1] The URL for the Shibboleth advisory is http://shibboleth.net/community/advisories/secadv_20171004.txt

[2] Shibboleth download: https://shibboleth.net/downloads/identity-provider/3.3.2/

[3] Release notes: https://wiki.shibboleth.net/confluence/display/IDP30/ReleaseNotes

Edited by AlexStuart on 05 October 2017, at 10:06 AM (Permalink)