===================================================================== CERT-Renater Note d'Information No. 2013/VULN244 _____________________________________________________________________ DATE : 19/06/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running xml-security-c versions prior to 1.7.1, Windows running Shibboleth Service Provider versions prior to 2.5.2. ====================================================================== http://shibboleth.net/community/advisories/secadv_20130618.txt ______________________________________________________________________ Shibboleth Service Provider Security Advisory [18 June 2013] An updated version of the Shibboleth Service Provider software is now available which includes an updated version of a dependency that corrects a security issue. Platforms on which xml-security-c is an OS-supplied component, such as Debian Linux, will need to ensure their vendor has supplied an updated package to correct the issue. Shibboleth SP heap overflow processing InclusiveNamespace PrefixList ==================================================================== The Apache Santuario XML Security for C++ library contained a heap overflow in the processing of XML content related to the verification of signed XML such as SAML assertions. This could in the worst case lead to the possibility for a remote, unauthenticated attacker to cause arbitrary code execution within the shibd process. The SP software is not the source of the vulnerability, and the fix required is contained solely in the xml-security-c library. However, packaging and binary compatibility considerations typically mean that older versions cannot always be fixed without upgrading (unless built by hand). The version of xml-security-c containing the fix is V1.7.1. That vulnerability has been published as CVE-2013-2156. Recommendations =============== Ensure that V1.7.1 or later of the xml-security-c library is used. For Windows installations, V2.5.2 of the Shibboleth SP is now available and contains updates to several libraries, including this fix. All V2.5.x installations should be upgradeable to this release. Older Windows versions have been unsupported since late 2012 and are not upgradeable without removing them, and installing V2.5.2. Linux installations relying on official RPM packages can upgrade to the latest package versions to obtain the fix. If your system already includes V1.7.0 of the xml-security-c library, then you MAY address the issue by updating only that package. Shibboleth and OpenSAML packages built against older versions, such as V1.6.x, will not be binary-compatible with the newer version. Sites that have deployed by building their own copy of xml-security-c should ensure that they upgrade to V1.7.1 of that package, or patch older versions as desired. Sites that rely on an OS-supplied version of xml-security-c will need to contact their OS vendor for a fixed version, or manually build a new or patched version. Credits ======= Thanks to James Forshaw of Context Information Security for reporting the issue to the Apache Santuario project. URL for this Security Advisory: http://shibboleth.net/community/advisories/secadv_20130618.txt URL for the vulnerability: http://santuario.apache.org/secadv.data/CVE-2013-2156.txt ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================