==================================================================== CERT-Renater Note d'Information No. 2017/VULN293 _____________________________________________________________________ DATE : 06/10/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Shibboleth IdP versions prior to 3.3.2. ===================================================================== http://shibboleth.net/community/advisories/secadv_20171004.txt ____________________________________________________________________ Shibboleth Identity Provider Security Advisory [4 October 2017] LDAP Data Connector insecure when using default JVM trust ========================================================= A flaw in the library used by the LDAP data connector [1] causes the connector to fail to validate the server certificate and leaves it vulnerable to man in the middle attacks under the following conditions: 1. The connection is via LDAPS (NOT StartTLS). 2. The connection's trust configuration is left to the default Java cacerts file, so-called default JVM trust. If your connector contains a trustFile attribute or a element (which also applies to LDAPS connections), then it is not relying on default JVM trust and is not vulnerable. Affected Versions ================= Versions of the Identity Provider < 3.3.2 using ldaptive < 1.0.11. Recommendations =============== All deployers affected should take at least one, and preferably both, of the following steps: 1. Update to V3.3.2 to correct the flaw and to maintain use of a supported release. 2. Copy the server's certificate (or more typically a CA) to a file and reference it with the trustFile attribute. As a short term fix, you MAY obtain and replace the version of ldaptive inside the deployed warfile with the latest ldaptive version, but it's generally simpler to just do the first step above. Note that as of V3.3.2, the software will now warn in most cases if the default JVM trust approach is used in the LDAP connector, and a future version will no longer support this approach, as it continues to be a source of security problems. References ========== URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20171004.txt Credits ======= Russell Ianniello, Australian Access Federation [1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================