Security Alerts - Security Advisory for Shibboleth Service Providers (17 March 2021)
On 17 March 2021 a Shibboleth Service Provider vulnerability was announced which exposes the software to phishing attacks.
Shibboleth has advised that this vulnerability was of moderate severity.
The AAF team has patched SP internally, spanning across a range of products and services including Rapid IdP, Rapid Connect, VHO, VerifID Global and Validator.
All subscribers who run Shibboleth SP (version 3.2.0 or older) in the Federation
Upgrade Shibboleth SP to version 3.2.1+
View the official security advisory
See all known vulnerabilities: https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
Please note that Rapid Connect (https://rapid.aaf.edu.au/) users are already protected and no further action is required.
Upgrading Shibboleth SP can be achieved by software package update (e.g. yum, apt, rpm, depending on distribution) or manual install via https://shibboleth.net/downloads/service-provider/