Bug#987608: shibboleth-sp: Session recovery feature contains a null pointer deference

[Salvatore Bonaccorso]

Control: retitle -1 shibboleth-sp: CVE-2021-31826: Session recovery feature contains a null pointer deference

Hi,

On Mon, Apr 26, 2021 at 03:16:14PM +0200, Ferenc W??gner wrote:
> Source: shibboleth-sp
> Version: 3.0.2+dfsg1-1
> Severity: important
> Tags: upstream patch security
> Forwarded: https://issues.shibboleth.net/jira/browse/SSPCPP-927
> 
> Shibboleth Service Provider Security Advisory [26 April 2021]
> 
> An updated version of the Service Provider software is now
> available which corrects a denial of service vulnerability.
> 
> Session recovery feature contains a null pointer deference
> ======================================================================
> The cookie-based session recovery feature added in V3.0 contains a
> flaw that is exploitable on systems *not* using the feature if a
> specially crafted cookie is supplied.
> 
> This manifests as a crash in the shibd daemon/service process.
> 
> Because it is very simple to trigger this condition remotely, it
> results in a potential denial of service condition exploitable by
> a remote, unauthenticated attacker.
> 
> Versions without this feature (prior to V3.0) are not vulnerable
> to this particular issue.
> 
> Recommendations
> ===============
> Update to V3.2.2 or later of the Service Provider software, which
> is now available.
> 
> In cases where this is not immediately possible, configuring a
> DataSealer component in shibboleth2.xml (even if used for nothing)
> will work around the vulnerability.
> 
> For example:
> 
> <DataSealer type="Static" key="4Sn0Wi6BXqQLCg+GQqY6bg==" />
> 
> This workaround is only possible after having updated the
> core configuration to the V3 XML namespace.
> 
> Other Notes
> ===========
> The cpp-sp git commit containing the fix for this issue is
> 5a47c3b9378f4c49392dd4d15189b70956f9f2ec

MITRE has assigned CVE-2021-31826 for this issue.

Regards,
Salvatore