AAF logo AUSTRALIAN ACCESS FEDERATION

Security Alerts - Shibboleth Service Provider Security Advisory [22 June 2021]

Security stuff

Shibboleth Service Provider Security Advisory [22 June 2021]

Header smuggling allows for impersonation under IIS 7+

This issue affects all the SP on windows since V3.0.0 when the IIS 7+ module is used.

An updated version of the Service Provider software is now available which corrects a critical header smuggling/spoofing vulnerability on Windows when using IIS.


Recommendations

Update to V3.2.2.2 or later of the Service Provider software, which is now available. This a Windows-only update to the V3.2.2 release containing the fixed IIS module.



See the Release Notes: https://wiki.shibboleth.net/confluence/display/SP3/ReleaseNotes


View the Official Security Advisory:
https://shibboleth.net/community/advisories/secadv_20210622.txt


Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list