AAF logo

Security Alerts - Shibboleth Service Provider Security Advisory (27 February 2018)

Security stuff

Shibboleth Service Provider Security Advisory (27 February 2018)

The AAF has received important security advice from the Shibboleth project, which we want to share with our subscribers. 


This advice relates to the XMLTooling library which is in use by the Shibboleth Service Provider.


The XML processing performed by the Service Provider software has been found to be vulnerable to new flaws. These flaws are similar to those we informed you about in mid-January.


Although, XML Encryption is a significant mitigation, attacks on the Response ‘envelope’ may be possible, for the previous instance and this new case.


An updated version of XMLTooling-C (V1.6.4) is available that protects against these new attacks, and should help prevent similar vulnerabilities in the future.


All platforms are impacted by these vulnerabilities.




1. Administrators should read the full security advisory to determine how it applies to their environment.

2. Apply the security patches, which are appropriate to your platform as soon as possible.

3. If your Service Provider is not making use of XML encryption start planning a migration to this mode of operation and implement this as soon as practical.


To view the full Security Advisory, go to: https://shibboleth.net/community/advisories/secadv_20180227.txt

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list