Security Alerts - Shibboleth Service Provider Security Advisory [03 August 2018]
The AAF has received important security advice from the Shibboleth project, which we want to share with our subscribers.
SAML messages, assertions, and metadata all commonly make use of the XML Signature KeyInfo construct, which expresses information about keys and certificates used in signing or encrypting XML.
It has been determined that a crash can be triggered within the Shibboleth SP when it is provided malformed KeyInfo data. A crash prevents your users from accessing protected resources until the daemon is restarted.
This issue is present in 2.x and 3.x versions of the Shibboleth SP. Following the end of life of Shibboleth V2, only the 3.x Shibboleth SP release is being patched against this issue.
1. Read the security advisory for more information on how this issue can impact production environments.
2. Plan upgrades based on the operating system and deployed Shibboleth SP version:
Please contact firstname.lastname@example.org should you need any assistance.
View the official security advisory
Thank you to the Shibboleth project for the research and code patches which underpin this advisory.