Shibboleth Identity Provider + OpenSAML Security Advisory

Posted on Wednesday, 11 January 2023

Shibboleth users have been notified of a critical Remote Code Execution (RCE) vulnerability in some deployments of the Shibboleth Identity Provider (IdP). The formal announcement from the project is included below and was posted to announce@shibboleth.net [1] on Friday December 16 2022.

Ref: https://shibboleth.net/community/advisories/secadv_20221216.txt

If you have an out-of-date Shibboleth IdP (before 4.2.0) and an out of date Java runtime (see below) then you should update either (preferably both) components as soon as possible. More details are in the above advisory.

For context, the Shibboleth project's only supported version of the IdP is the latest version (4.2.1).

The underlying issue is fixed in Java OpenJDK:

• 7u351
• 8u341
• 11.0.16
• 17.0.4
• 18.0.2

For Amazon Corretto the fixed versions are:

• 8.342.07.1
• 11.0.16.8.1
• 17.0.4.8.1

For further support, please contact the UK federation service desk.

[1] https://shibboleth.net/mailman/listinfo/announce Edited by SaraHopkins on 11 January 2023, at 04:35 PM