Important Shibboleth Identity Provider (IdP) update V4.1.6

Posted on Friday, 1 April 2022

The Shibboleth project has released V4.1.6 of the Identity Provider [1] to address this week's Spring vulnerability. If you are running Shibboleth V4.1.x already this should be a straight forward upgrade.

We would like to take this opportunity to remind participants in the UK federation running the Shibboleth IdP to maintain and regularly update the software.

The following is the announcement from the Shibboleth project [4];

We do not have any specific knowledge that this vulnerability affects the IdP and a fair amount of insight that it may well not, but the Spring project hasn't corroborated our research by clearly pointing to the feature we think triggers the bug, so we're erring on the cautious side and just assuming we're vulnerable and believe deployers should do so as well. I've updated the security page [3] to reflect that assumption.

V4.2.0 is imminent but is a minor upgrade without a definite release date so waiting for it is not likely the best course for most.

Note: if you are using the other SAML software or running the Shibboleth Service Provider you are not affected by this announcement, but you should still maintain software and update software in your control and/or work with your vendor or third-party support to determine if you maybe affected by any software vulnerabilities, including the recently announced Spring4Shell vulnerability [2]

If you are not already subscribed, please make sure you are signed up to the Shibboleth announce list [5] to receive these announcements direct from the Shibboleth project.

[1] http://shibboleth.net/downloads/identity-provider/latest/
[2] https://tanzu.vmware.com/security/cve-2022-22965
[3]https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631889/SecurityAdvisories
[4] http://shibboleth.net/pipermail/announce/2022-March/000260.html
[5] https://shibboleth.net/mailman/listinfo/announce

Edited by SteveGlover on 01 April 2022, at 01:25 PM