Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
wferi at debian.org
Mon Apr 26 14:16:14 BST 2021
Tags: upstream patch security
Shibboleth Service Provider Security Advisory [26 April 2021]
An updated version of the Service Provider software is now
available which corrects a denial of service vulnerability.
Session recovery feature contains a null pointer deference
The cookie-based session recovery feature added in V3.0 contains a
flaw that is exploitable on systems *not* using the feature if a
specially crafted cookie is supplied.
This manifests as a crash in the shibd daemon/service process.
Because it is very simple to trigger this condition remotely, it
results in a potential denial of service condition exploitable by
a remote, unauthenticated attacker.
Versions without this feature (prior to V3.0) are not vulnerable
to this particular issue.
Update to V3.2.2 or later of the Service Provider software, which
is now available.
In cases where this is not immediately possible, configuring a
DataSealer component in shibboleth2.xml (even if used for nothing)
will work around the vulnerability.
<DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
This workaround is only possible after having updated the
core configuration to the V3 XML namespace.
The cpp-sp git commit containing the fix for this issue is
URL for this Security Advisory:
More information about the Pkg-shibboleth-devel