=====================================================================

                              CERT-Renater

                   Note d'Information No. 2023/VULN199

_____________________________________________________________________

DATE                : 19/05/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Connect OP plugin for Shibboleth
                         Identity Provider versions prior to 3.4.0.

=====================================================================
https://shibboleth.net/community/advisories/secadv_20230512.txt
_____________________________________________________________________


Shibboleth Identity Provider Plugin Security Advisory [12 May 2023]

An updated version of the OpenID Connect OP plugin for the Shibboleth
Identity Provider is now available which corrects a pair of race
conditions in the client authentication and dynamic registration
features.

Both issues are of "low" severity, and neither is likely to manifest
without significant load on the server.

OpenID Connect OP plugin contains multiple race conditions
======================================================================
A pair of race conditions have been identified in the OP plugin.

The client authentication feature that processes requests from
RP clients to validate access to the OP's endpoints contains a race
condition that under load could result in clients being successfully
validated with a client secret associated with a different client.

This is difficult to exploit due to the lack of predictability, and
would require a client have access to a client secret associated
with a different client being validated at the same time.

A second, less critical race condition was found in the part of the
dynamic client registration support involving metadata policy.
Unknown claims that are intended to be ignored and dropped may be
validated by the wrong policy and could be included in a client's
registration if allowed by the policy applied by mistake.


Recommendations
===============

Update to V3.4.0 or later of the OIDC OP plugin, which is now available.
The IdP's plugin installer can perform this update process.

Note that this plugin requires IdP V4.3, so you may need to patch the
IdP first if you are on an unsupported version.

This minor update includes some changes that may affect a small number
of deployments, so please review the Release Notes [1] when upgrading.


Credits
=======
This issue was discovered by the Shibboleth Project team itself.

[1] https://shibboleth.atlassian.net/wiki/x/AQCCpQ

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20230512.txt


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================