SecurityAdvisories

This is the advisory page for Service Provider V3 releases. For older V2 SP advisories, refer to the V2 SecurityAdvisories page

This page provides access to the complete history of Security Advisories released for the Shibboleth V3 Service Provider and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast.

You can determine the exact version you're running based on the shibd.log during startup.

If you would like to report an issue you believe is security related, please drop an e-mail to security@shibboleth.net

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V3 Service Provider software. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself.

Service Provider Vulnerability Matrix

The oldest SP 3 version unaffected by fixable vulnerabilities is 3.2.2, (3.4.1.4 on Windows/IIS) provided that xmltooling >= V3.2.4 is used.

Version

EOL

User Data Exposure

Resource Exposure

Session Hijacking

Denial of Service

Remote Exploit

Advisories

Version

EOL

User Data Exposure

Resource Exposure

Session Hijacking

Denial of Service

Remote Exploit

Advisories

All



X

X

 

X

X

2018-08-03, 2018-01-23, 2014-04-09, 2011-10-24

3.4.1

 

 

 

 

 

 

 

3.4.0

Jan 2023

 

 

 

 

 

 

3.3.0

Nov 2022

 

 

 

 

 

 

3.2.3

Dec 2021

 

 

 

 

 

 

3.2.2

Jul 2021

 

 

 

 

 

2021-06-22

3.2.1

Apr 2021

 

 

 

X

 

2021-04-26

3.2.0

Mar 2020

 

 

 

X

 

2020-03-17

3.1.0

Dec 2020

 

 

 

X

 

2020-08-31

3.0.4

Apr 2020

 

 

 

X

 

 

3.0.3

Mar 2019

 

 

 

X

 

2019-03-11

3.0.2

Dec 2018

 

 

 

X

 

2018-12-19a

3.0.1

Aug 2018

X

X

 

X

X

 

3.0.0

Jul 2018

 

 

 

X

 

 

Advisory List

Date

Title

Affects

Severity

CVE

Date

Title

Affects

Severity

CVE

2023-06-12

Parsing of KeyInfo elements can cause remote resource access

xmltooling < 3.2.4

low

 

2023-03-13

https://nvd.nist.gov/vuln/detail/CVE-2022-37434

zlib < 1.2.13

moderate

CVE-2022-37434

2023-02-07

OpenSSL Vulnerabilities (various)

OpenSSL 3.0 < 3.0.8

Various

Various

2021-06-22

Header smuggling allows for impersonation under IIS 7+

SP for Windows IIS7+ module < 3.2.2.2

critical

 

2021-04-26

Session recovery feature contains a null pointer deference

SP < 3.2.2

moderate

 

2020-03-17

Template generation allows external parameters to override placeholders

SP < 3.2.1

moderate

 

2020-08-31

IIS module fails to trap exceptions raised by network socket failures

SP for Windows IIS7+ module < 3.1.0.2

moderate

 

2019-03-11

XML parser class fails to trap exceptions on malformed XML declaration

SP w/ libxmltooling < 3.0.4

moderate

CVE-2019-9628

2018-12-19

Shibboleth SP software crashes on malformed date/time content

SP < 3.0.3

moderate

 

2018-08-03

Shibboleth SP software crashes on malformed KeyInfo content

SP w/ libxml-security-c < 2.0.2

high

 

2018-01-23

Implications of ROBOT TLS vulnerability

All

high

 

2014-04-09

OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high

CVE-2014-0160

2011-10-24

Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks

SP and IdP, all versions                              

moderate

 

Library Issues

Because we have relatively infrequent releases and a strict versioning policy, it is not rare that we ship third-party libraries that may contain unfixed vulnerabilities when those issues are believed to be non-impactful. This is often due to timing; for example, we may be unable to adequately test a new version of something in time to include it in a release and may determine that the less risky course is to stay on an older version. Alternatively, it may be impossible to update something because of the API changes required, since many projects do not adhere to semantic (or any) versioning.

In the event that we ship releases known to, or that we subsequently discover to, contain vulnerable libraries and do not have specific plans to immediately issue a patch with a newer version, we will document any known issues here, and our official position as to the lack of relevance of the issue to the software. It is not our aim to pass generic, context-free scanners that simply flag every issue. Automation is not a substitute for human judgement.

V3.4.1

  • OpenSSL on Windows (last reviewed 2024-09-03)

    • The version of OpenSSL 3.0 shipped on Windows at this time contains a number of non-impactful security vulnerabilities. Due to the effort involved, it is unlikely a new version will be supplied until a more significant need arises. Any advisory issued on or before the “last-reviewed” date above has been triaged.

  • Curl (last reviewed 2024-07-31)

    • CVE-2024-7264

      • We don’t use the affected feature as we process cerrtificates separately from anything libcurl is doing with them.

    • CVE-2023-46218

      • We do not rely on cookies in our use of Curl.

    • CVE-2023-46219

      • We do not use the HSTS feature, this isn’t a web browser.

    • CVE-2024-0853

      • We do not rely on Curl to validate certificates

    • CVE-2024-2004

      • Even if this in fact affects libcurl itself and not just the command line, we don’t manipulate the protocols (we do for TLS protocols, but not schemes).

    • CVE-2024-2398

      • We don’t build with HTTP/2 support.

    • CVE-2024-6197

      • We don’t use those TLS implementations.

    • CVE-2024-6874

      • We don’t ship curl on macOS.