Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference

Ferenc Wágner wferi at debian.org
Mon Apr 26 14:16:14 BST 2021

Source: shibboleth-sp
Version: 3.0.2+dfsg1-1
Severity: important
Tags: upstream patch security
Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927

Shibboleth Service Provider Security Advisory [26 April 2021]

An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.

Session recovery feature contains a null pointer deference
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.

This manifests as a crash in the shibd daemon/service process.

Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.

Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.

Update to V3.2.2 or later of the Service Provider software, which
is now available.

In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.

For example:

<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />

This workaround is only possible after having updated the
core configuration to the V3 XML namespace.

Other Notes
The cpp-sp git commit containing the fix for this issue is

URL for this Security Advisory:

More information about the Pkg-shibboleth-devel mailing list