Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 26 20:19:16 BST 2021
Hi Ferenc,
On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc Wágner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
>
> Shibboleth Service Provider Security Advisory [26 April 2021]
>
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
>
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
>
> This manifests as a crash in the shibd daemon/service process.
>
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
>
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
>
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
>
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth2.xml (even if used for nothing)
> will work around the vulnerability.
>
> For example:
>
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
>
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
>
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec
>
>
> URL for this Security Advisory:
> https://shibboleth.net/community/advisories/secadv_20210426.txt
Raising the severity to RC as I think this should go into bullseye and
the fix is targetted possible. Let me though know if you disagree on
this.
Regards,
Salvatore
More information about the Pkg-shibboleth-devel
mailing list