SecurityAdvisories

This is the advisory page for Identity Provider V2 and Service Provider V2 releases. For newer V3 IdP advisories, refer to the V3 SecurityAdvisories page.

This page provides easier access to the complete history of Security Advisories released for the Shibboleth V2 software products and an "at a glance" table showing you which releases are vulnerable to what kinds of issues. If you're running a particular version, you can use this table to identify the issues that could affect your system and determine how urgent an upgrade is. In addition to the announce mailing list, you can "watch" this page for changes to keep abreast. Pages exist describing briefly how to check the IdP or SP version you have.

If you would like to report an issue you believe is security related, you can do any of the following:

e-mail security@shibboleth.net or contact@shibboleth.net
use the contact form

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

This page only covers advisories affecting the V2 products. Other advisories are not listed here, but you can find the complete set of advisories in this directory.

Obviously not all vulnerabilities are created equal, and the classifications in the matrices are general in nature, and are meant to point you to the relevant advisories to look into.

A particular version will typically be implicated by any advisories noted for it and for any newer versions above it in the tables.

Advisories noted for "All" versions should be reviewed by all deployers for relevancy to their deployment. Typically this indicates that an advisory is at least partly discussing issues that go beyond the scope of what the Shibboleth software can actually remediate and may affect the deployment as a whole. It does not in general refer to unfixed vulnerabilities in the Shibboleth software itself. There are a significant number of these at this point.

Identity Provider Vulnerability Matrix

Version	EOL	User Data Exposure	User Data Accuracy	Session Hijacking	Denial of Service	Remote Exploit	Advisories
All	Aug 2016	X	X				2014-11-03, 2014-06-08, 2014-04-09, 2011-10-24, 2011-07-18, 2009-06-19
2.4.5	Aug 2016	X	X
2.4.4	Aug 2016	X	X
2.4.3	Feb 2015	X	X				2015-02-25
2.4.2	Nov 2014	X	X		X
2.4.1	Sep 2014	X	X		X		2014-09-19
2.4.0	Aug 2014	X	X		X	X	2014-08-13
2.3.8	Apr 2013	X	X		X		2013-04-17, 2013-04-17a
2.3.6 - 2.3.7	Jul 2012	X	X		X
2.3.2 - 2.3.5	Feb 2012	X	X		X		2012-02-27
2.3.0 - 2.3.1	Jul 2011	X	X		X	X	2011-07-25
2.2.1	May 2011	X	X	X	X	X	2011-05-16
2.2.0	Jan 2011	X	X	X	X	X	2011-01-13
2.1.5	Sep 2010	X	X	X	X	X	2009-02-24
2.1.1 - 2.1.4	Nov 2009	X	X	X	X	X	2009-11-04
2.0.0	Dec 2008	X	X	X	X	X	2008-11-03

Service Provider Vulnerability Matrix

The oldest SP version unaffected by fixable vulnerabilities (excepting the advisory from 2016-05-04) is V2.6.1 in conjunction with OpenSAML 2.5.5, Xerces 3.1.4, and OpenSSL 1.0.2h.

Version	EOL	User Data Exposure	Resource Exposure	Session Hijacking	Denial of Service	Remote Exploit	Advisories
All		X	X			X	2018-02-27, 2018-01-23, 2018-01-12, 2016-06-29, 2016-05-04, 2014-06-08, 2014-04-09, 2013-12-02, 2011-10-24
2.6.1		X	X			X
2.6.0	Nov 2017	X	X			X	2017-11-15
2.5.6	Jun 2016	X	X			X
2.5.5	Feb 2016	X	X			X
2.5.4	Jul 2015	X	X		X	X	2015-07-21
2.5.3	Mar 2015	X	X		X	X	2015-03-19
2.5.2	Dec 2013	X	X		X	X
2.5.0 - 2.5.1	June 2013	X	X		X		2013-06-18, 2013-01-10
2.4.3	Nov 2012	X	X		X	X	2012-04-19
2.4.0 - 2.4.2	Jul 2011	X	X		X	X	2011-07-25, 2011-07-06
2.3.0 - 2.3.1	Dec 2010	X	X		X	X
2.2.1	Nov 2009	X	X	X	X	X	2009-11-04, 2009-08-26
2.2.0	Aug 2009	X	X	X	X	X	2009-08-17
2.0.0 - 2.1.0	Jun 2009	X	X	X	X	X	2009-06-15

Advisory List

Date	Title	Affects	Severity	CVE
2018-02-27	Shibboleth SP software vulnerable to additional data forgery flaws	SP w/ xmltooling < 1.6.4	critical	CVE-2018-0489
2018-01-23	Implications of ROBOT TLS vulnerability	All	high
2018-01-12	Shibboleth SP software vulnerable to forged user attribute data	SP w/ Xerces-C < 3.1.4 AND xmltooling < 1.6.3	critical	CVE-2018-0486
2017-11-15	Dynamic MetadataProvider fails to install security filters	SP < 2.6.1	critical
2016-06-29	Apache Xerces-C XML Parser Crashes on Malformed DTD	SP w/ Xerces-C < 3.1.4	medium	CVE-2016-4463
2016-05-04	Shibboleth SP software <PathRegex> feature implemented incorrectly	SP (all released versions)	high
2016-02-25	Apache Xerces-C XML Parser Crashes on Malformed Input	SP w/ Xerces-C < 3.1.3	high	CVE-2016-0729
2015-07-21	Shibboleth SP software crashes on well-formed but invalid XML	SP w/ xmltooling < 1.5.5, libsaml < 2.5.5	medium	CVE-2015-2684
2015-03-19	Shibboleth SP software crashes on malformed input messages	SP < 2.5.4, Xerces-C < 3.1.2	medium	CVE-2015-0252
2015-02-25	Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation	IDP < 2.4.4, OpenSAML-J < 2.6.5	high
2014-11-03	Xerces-J XML Parser Vulnerable to Denial of Service	IDP with Xerces endorsed	medium	CVE-2013-4002
2014-09-19	Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification	IDP < 2.4.2, OpenSAML-J < 2.6.3	high	CVE-2014-3604 CVE-2014-3607
2014-08-13	HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification	IDP < 2.4.1, OpenSAML-J < 2.6.2	medium	CVE-2014-3603
2014-06-08	OpenSSL MITM issue	SP with any affected OpenSSL version, IDP w/ OpenSSL 1.0.1 - 1.0.1g	high	CVE-2014-0224
2014-04-09	OpenSSL "Heartbleed" vulnerability	SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f	very high	CVE-2014-0160
2013-12-15	OpenSAML Java ParserPool and Decrypter Vulnerable To XML Attacks	OpenSAML-J < 2.6.1	medium
2013-12-02	Curl library skips TLS server certificate name checking	SP w/ libcurl between 7.18.0 and 7.33.0	low	CVE-2013-4545
2013-06-18	Shibboleth SP heap overflow processing InclusiveNamespace PrefixList	SP w/ libxml-security-c < 1.7.1	high	CVE-2013-2156
2013-04-17	Identity Provider HTTP-based Metadata Providers did not perform hostname verification	IDP < 2.4.0	medium
2013-04-17	Identity Provider issue In Metadata Providers with 'disregardSslCertificate' option	IDP < 2.4.0	medium
2013-01-10	Shibboleth SP software crashes on malformed IdP History Cookie	SP w/ libsaml 2.5.0 or 2.5.1	low
2012-04-19	OpenSSL ASN1 BIO vulnerability	SP w/ openssl < 1.0.0i	high	CVE-2012-2110
2012-02-27	Identity Provider LDAPS Connections Do Not Perform Hostname Verification	IDP < 2.3.6	high
2011-10-24	Use of XML Encryption Vulnerable to Chosen Ciphertext Attacks	SP and IdP, all versions	medium
2011-07-25	OpenSAML software is vulnerable to XML Signature wrapping attacks	IDP < 2.3.2 SP w/ libsaml < 2.4.3	high	CVE-2011-1411
2011-07-18	Multi-Session Information Leakage	IDP >= 2.1	medium
2011-07-06	Shibboleth SP software crashes on large signing/encryption keys	SP w/ libxml-security-c < 1.6.1	high	CVE-2011-2516
2011-05-16	Velocity templates vulnerable to XSS (cross-site scripting) injection	IDP < 2.3.0	high
2011-01-13	Shibboleth IdP 2.X Single TransientID Mapped to Multiple Principals	IDP < 2.2.1	high
2009-11-04	Shibboleth software improperly handles malformed URLs	IDP < 2.1.5 SP < 2.3	high	CVE-2009-3300
2009-08-26	Shibboleth SP software improperly handles malformed URLs	SP w/ libxmltooling < 1.2.2	high
2009-08-17	Shibboleth SP software improperly evaluates KeyDescriptors	SP < 2.2.1	low
2009-08-17	Shibboleth SP software improperly handles certificate names	SP < 2.2.1 or w/ libcurl < 7.19.6	high
2009-06-19	Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPs	IDP, all versions w/ Terracotta	medium
2009-06-15	Shibboleth SP software on IIS vulnerable to header spoofing	SP < 2.2 w/ IIS, but see this	high
2009-02-24	Shibboleth IdP 2.X cross-site request attack	IDP < 2.2.0	high
2008-11-03	Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request Attack	IDP < 2.1.0	high