Security Alerts - Shibboleth Identity Provider Security Advisory [4 October 2019]

Security stuff

Shibboleth Identity Provider Security Advisory [4 October 2019]

The Shibboleth Identity Provider supports a number of login flows that rely on servlets or JSP pages to operate, including:

  • External
  • RemoteUser
  • X509

The Shibboleth IdP project has identified that a denial of service attack by a remote, unauthenticated attacker, via Java heap exhaustion due to the creation of objects in the Java Servlet container session, under certain conditions.

Rapid IdP subscribers

All IdPs hosted by AAF Rapid IdP have already been upgraded and no further action is required.

If your organisation is interested in automated security patches, please contact enquiries@aaf.edu.au regarding Rapid IdP.

Affected Versions

  • Versions of the Identity Provider between V3.0.0 and V3.4.5


  • Upgrade to Identity Provider V3.4.6 or later

On-Prem IdP Subscribers

View the official security advisory

Thank you to the Shibboleth project, and technical teams at QUT for the research and code patches that underpin this advisory.

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list