====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN419
_____________________________________________________________________

DATE                : 21/12/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Shibboleth Identity Provider
versions                                        prior to v3.0.2.

=====================================================================
https://shibboleth.net/community/advisories/secadv_20181219a.txt
_____________________________________________________________________



Shibboleth Service Provider Security Advisory [19 December 2018]

An updated version of the Shibboleth Service Provider software
is now available which corrects a denial of service vulnerability.

Shibboleth SP software crashes on malformed date/time content
===============================================================
SAML messages, assertions, and metadata all commonly contain
date/time information in a standard XML format.

Invalid formatted data in such fields cause an exception of a type
that was not handled properly in the V3 software and causes a crash
(usually to the shibd daemon process, but possibly to Apache in rare
cases). Note that the crash occurs prior to evaluation of a message's
authenticity, so can be exploited by an untrusted attacker.

The problem is believed to be specific to the V3 software and
would not cause a crash in the older, now unsupported, V2 software.

All SP versions between 3.0.0 and 3.0.2 are affected.

Recommendations
===============
Update to V3.0.3 or later of the Service Provider software, which is
now available.

Credits
=======
Paolo Smiraglia, Antonio Giovanni Schiavone, Michele D'Amico,
and Umberto Rosini, of Agenzia per l'Italia Digitale (AgID)

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20181219a.txt

===============================================================
+ CERT-RENATER               | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel         | fax : 01-53-94-20-41           +
+ 75013 Paris                | email: cert@support.renater.fr +
===============================================================