Shibboleth Security Advisory – SP: Denial of Service Due to DataSealer

Dear customers,

A new security advisory for the product Shibboleth Service Provider (SP) was released on April 26th, 2021 [1].

It describes a security vulnerability which enables attackers to manipulate certain cookies to make the SP crash (Denial of Service). This error is considered to be medium-critical. All operating systems are affected. We recommend for our customers to upgrade to version 3.2.2. of the SP as soon as possible, as this version contains the patch to fix the aforementioned vulnerability. The new version is available for RPM based Linux distributions as well as Windows. Per experience, the package sources for Ubuntu 20 and Debian 10 (potentially Ubuntu 18 and Debian 9 as well) will soon be provided by SWITCH.

The patches can be found for download in the usual place [2], or can be installed using the package manager of your operating system. If you commissioned DAASI International with the maintenance of your SP infrastructure, we will take care of the upgrade in a timely manner as part of the support contract. Alternatively, it is also possible to utilise your available helpdesk hours for the upgrade.

If it is not feasible for you to complete the upgrade soon, it is possible to configure an unused Dummy-DataSealer as a workaround (cf. [3] and the example in the security advisory [1]). Especially if you are using either Ubuntu or Debian, we recommend to implement this workaround at least until SWITCH provides the updated packages.

Kind regards,

DAASI International Support Team

[1]: https://shibboleth.net/community/advisories/secadv_20210426.txt
[2]: https://shibboleth.net/downloads/service-provider/latest/
[3]: https://wiki.shibboleth.net/confluence/display/SP3/DataSealer

 

Instructions for the Upgrade