The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

SecurityAdvisories

Dec 15, 2020

This is the advisory page for Identity Provider V2 and Service Provider V2 releases. For newer V3 IdP advisories, refer to the V3 SecurityAdvisories page. For newer V3 SP advisories, refer to the V3 SecurityAdvisories page.

This page provides easier access to the complete history of Security Advisories released for the Shibboleth V2 software products and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast. Pages exist describing briefly how to check the IdP or SP version you have.

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V2 products. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself. There are a significant number of these at this point.

Identity Provider Vulnerability Matrix

Version	EOL	User Data Exposure	User Data Accuracy	Session Hijacking	Denial of Service	Remote Exploit	Advisories

Version	EOL	User Data Exposure	User Data Accuracy	Session Hijacking	Denial of Service	Remote Exploit	Advisories
All	Aug 2016	X	X				2014-11-03, 2014-06-08, 2014-04-09, 2011-10-24, 2011-07-18, 2009-06-19
2.4.5	Aug 2016	X	X
2.4.4	Aug 2016	X	X
2.4.3	Feb 2015	X	X				2015-02-25
2.4.2	Nov 2014	X	X		X
2.4.1	Sep 2014	X	X		X		2014-09-19
2.4.0	Aug 2014	X	X		X	X	2014-08-13
2.3.8	Apr 2013	X	X		X		2013-04-17, 2013-04-17a
2.3.6 - 2.3.7	Jul 2012	X	X		X
2.3.2 - 2.3.5	Feb 2012	X	X		X		2012-02-27
2.3.0 - 2.3.1	Jul 2011	X	X		X	X	2011-07-25
2.2.1	May 2011	X	X	X	X	X	2011-05-16
2.2.0	Jan 2011	X	X	X	X	X	2011-01-13
2.1.5	Sep 2010	X	X	X	X	X	2009-02-24
2.1.1 - 2.1.4	Nov 2009	X	X	X	X	X	2009-11-04
2.0.0	Dec 2008	X	X	X	X	X	2008-11-03

Service Provider Vulnerability Matrix

Version	EOL	User Data Exposure	Resource Exposure	Session Hijacking	Denial of Service	Remote Exploit	Advisories

Version	EOL	User Data Exposure	Resource Exposure	Session Hijacking	Denial of Service	Remote Exploit	Advisories
All		X	X			X	2018-02-27, 2018-01-23, 2018-01-12, 2016-06-29, 2016-05-04, 2014-06-08, 2014-04-09, 2013-12-02, 2011-10-24
2.6.1		X	X			X
2.6.0	Nov 2017	X	X			X	2017-11-15
2.5.6	Jun 2016	X	X			X
2.5.5	Feb 2016	X	X			X
2.5.4	Jul 2015	X	X		X	X	2015-07-21
2.5.3	Mar 2015	X	X		X	X	2015-03-19
2.5.2	Dec 2013	X	X		X	X
2.5.0 - 2.5.1	June 2013	X	X		X		2013-06-18, 2013-01-10
2.4.3	Nov 2012	X	X		X	X	2012-04-19
2.4.0 - 2.4.2	Jul 2011	X	X		X	X	2011-07-25, 2011-07-06
2.3.0 - 2.3.1	Dec 2010	X	X		X	X
2.2.1	Nov 2009	X	X	X	X	X	2009-11-04, 2009-08-26
2.2.0	Aug 2009	X	X	X	X	X	2009-08-17
2.0.0 - 2.1.0	Jun 2009	X	X	X	X	X	2009-06-15

Advisory List

Date	Title	Affects	Severity	CVE

Date	Title	Affects	Severity	CVE
2018-02-27	Shibboleth SP software vulnerable to additional data forgery flaws	SP w/ xmltooling < 1.6.4	critical	CVE-2018-0489
2018-01-23	Implications of ROBOT TLS vulnerability	All	high
2018-01-12	Shibboleth SP software vulnerable to forged user attribute data	SP w/ Xerces-C < 3.1.4 AND xmltooling < 1.6.3	critical	CVE-2018-0486
2017-11-15	Dynamic MetadataProvider fails to install security filters	SP < 2.6.1	critical
2016-06-29	Apache Xerces-C XML Parser Crashes on Malformed DTD	SP w/ Xerces-C < 3.1.4	medium	CVE-2016-4463
2016-05-04	Shibboleth SP software <PathRegex> feature implemented incorrectly	SP (all released versions)	high
2016-02-25	Apache Xerces-C XML Parser Crashes on Malformed Input	SP w/ Xerces-C < 3.1.3	high	CVE-2016-0729
2015-07-21	Shibboleth SP software crashes on well-formed but invalid XML	SP w/ xmltooling < 1.5.5, libsaml < 2.5.5	medium	CVE-2015-2684
2015-03-19	Shibboleth SP software crashes on malformed input messages	SP < 2.5.4, Xerces-C < 3.1.2	medium	CVE-2015-0252
2015-02-25	Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation	IDP < 2.4.4, OpenSAML-J < 2.6.5	high
2014-11-03	Xerces-J XML Parser Vulnerable to Denial of Service	IDP with Xerces endorsed	medium