Shibboleth Service Provider Security Advisory 31st August 2020

Posted on Tuesday, 1 September 2020

A security advisory [1] has been released for the Shibboleth Service Provider involving deployments running on Windows and using the "modern" module for Microsoft IIS V7+. This module contains a flaw that can be triggered remotely, resulting in a potential denial of service condition exploitable by an unauthenticated attacker. Also, a service patch for the Windows distribution of the Service Provider software is now available [2]. This update contains a fix for a bug [3] in the IIS module. Other important information can be found in the release notes which should be reviewed when upgrading [4].

  • If you are not using the Shibboleth Service Provider for Windows, then your deployment is not affected.
  • If you are using the Shibboleth Service Provider for Windows with Apache, the older IIS module or older ISAPI filter/extensions or any other SP integration variants, then your deployment is not affected.

If your deployment is affected, the recommended solution is to upgrade to V3.1.0.2 or later of the Windows installation package.

Deployers of all versions of the Shibboleth Service Provider should note that the current stable release [5] of the Service Provider is V3.1.0, and there is no supported previous stable release (deployers are reminded that they should subscribe to the Shibboleth Announcement mailing list [6]. This is where announcements about new releases, end of life of past releases, and security advisories are distributed).

Please contact the UK federation service desk (service@ukfederation.org.uk) if you have any questions about this announcement or require help or guidance on upgrading your software.

[1] https://shibboleth.net/community/advisories/secadv_20200831.txt

[2] https://shibboleth.net/downloads/service-provider/3.1.0/win32/ or https://shibboleth.net/downloads/service-provider/3.1.0/win64/ as appropriate

[3] https://issues.shibboleth.net/jira/browse/SSPCPP-904

[4] https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes

[5] https://wiki.shibboleth.net/confluence/display/DEV/ProductVersioning

[6] https://shibboleth.net/mailman/listinfo/announce

Edited by SteveGlover on 01 September 2020, at 11:58 AM