====================================================================

                               CERT-Renater

                   Note d'Information No. 2016/VULN369
_____________________________________________________________________

DATE                : 28/10/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Shibboleth IdP versions 3 prior to
                                           3.3.0.

=====================================================================
http://shibboleth.net/community/advisories/secadv_20161027.txt
____________________________________________________________________


Shibboleth Identity Provider Security Advisory [27 October 2016]

Collision in LDAP Data Connector result set cache
=================================================
A flaw in the implementation of the result cache in the LDAP data
connector [1] in the attribute resolver can cause results for one search
to be substituted for another search, including one associated with a
different subject. Depending on the purpose of the search and the
attributes involved, this can result in data associated with one user
being substituted for another, with critical impact on connected
systems, up to and including improper information disclosure.

It is believed at this time that this flaw is present in the V3
software only, and does not affect the older V2 Identity Provider
software. It is also believed to impact only the LDAP data connector
and not the RDBMS data connector. If either assumption proves false,
we will update this advisory.

Affected Versions
=================
Versions of the Identity Provider >= 3.0.0 and < 3.3.0.


Recommendations
===============
All deployers making use of this feature should immediately remove
the <ResultCache> element from any configured LDAP data connectors.

Upon the release of V3.3.0, updating to that version will make the
feature safe to use again.


References
==========

URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20161027.txt


Credits
=======
Jeffrey Eaton, Carnegie Mellon University

[1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector
==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================