===================================================================== CERT-Renater Note d'Information No. 2012/VULN096 _____________________________________________________________________ DATE : 02/03/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Shibolet Identity Provider version 1.x and 2.x ====================================================================== http://shibboleth.internet2.edu/secadv/secadv_20120227.txt _______________________________________________________________________ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shibboleth Security Advisory [ 27 February 2012 ] Identity Provider LDAPS Connections Do Not Perform Hostname Verification ================= The LDAP support shipped with the Sun/Oracle and OpenJDK JVMs does not perform hostname verification when using LDAPS (see [1] for why). The lack of hostname verification means that while the connection between the IdP and LDAP server is encrypted, the IdP has no way to verify it's actually communicating with the appropriate LDAP server. Also, note all other LDAP libraries that we looked at (Apache Directory, JLDAP, UnboundID, and Netscape LDAP) also exhibit the same behavior so you may want to check any other applications you have that use LDAPS. Affected Versions ================= All 1.x and 2.x versions of the Identity Provider Recommendations ================= Use startTLS, if your directory supports it, or upgrade to IdP v 2.3.6. Credits ================= Scott Cantor, The Ohio State University URL for this Security Advisory http://shibboleth.internet2.edu/secadv/secadv_20120227.txt [1] The stated reason for this is that since LDAPS is not officially defined (it was just made up by the OpenLDAP team) there is no specification that says this check is required. The use of the startTLS operation, which is formally defined, does properly perform hostname verification. - -- Chad La Joie www.itumi.biz trusted identities, delivered -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPS2+eAAoJEKCzywnSs3NTzi4P/idl9fpMucCFT4AlVVR7Wbxh xV4ihGDHMOetxUkxZfm4Mhkrgywn7fFxLHwv3Dq9z2xpKqi155v3Mjv6D/DKzQoK kTfv4ZVsuOneonxY1InfuKcbTwZUgKX4LSuaQYB1JcZG9JU1e+g1JKkWt8j+sRf5 5ma361AigNNv/SDiBrVVsDM7Afmp9BouD2sAxQsNoy9w0h+VFdtWliP6R/lNr5bz PRrc1BYWaPK+4auQhITX6yQO8a9Lv+NBHMKrgwqws0W7yBDbpbpUY8OBvGNCjqG6 ex1JhzqOylc/OH4Yr7edObzf2TGwdsmZZ25vx6b/+mMJDtMCMkCo+bhEnfpKqEwA IQlEyUFvM/3aLGsfIqvVaGPidmOQqWv1kC/rVcY9Y9c4YCNDK1gqudDqCjvshCIQ XgpHwlW4lCJc6HuQhsm7h6vCeW2tDYNzbqNNMQ/0yi/ovEGcRgl4Lu3r/P4+hWKa FCVg363YSpNSCDJ9acXW3ufxo3fI5NDi5JGIIM4lvkCYrdVGW1hkMeNGnPRNTqex Zp6V4r4Zj/s3wKo+8C0k48p6ls31vd6NIC7+B8v5GFwwya8UTAyDDouEHtgzxeCf 55SzZ2CUp4sMvppmRrRI5sbfGvh9be9VXAvHDxYVQLxo8UsJ5g9Dx0A97g4o32dD IMCUlr3NptbhkCtGXpFe =v01l -----END PGP SIGNATURE----- ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================