The AAF has received important security advice from the Shibboleth project, which we want to share with our subscribers. 

This advice relates to the XMLTooling library which is in use by the Shibboleth Service Provider.

The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws. These flaws are similar to those we informed you about in mid-January.

Although, XML Encryption is a significant mitigation, attacks on the Response ‘envelope’ may be possible, for the previous instance and this new case.

An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future.

All platforms are impacted by these vulnerabilities.

Recommendations

1. Administrators should read the full security advisory to determine how it applies to their environment.

2. Apply the security patches, which are appropriate to your platform as soon as possible.

3. If your Service Provider is not making use of XML encryption start planning a migration to this mode of operation and implement this as soon as practical.

To view the full Security Advisory, go to: https://shibboleth.net/community/advisories/secadv_20180227.txt