Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

If you would like to report an issue you believe is security related, you can do any of the following:

As always, sites are advised to use the latest stable release of any Shibboleth product. Refer to the ProductVersioning page for information about our support and versioning policies. The Home page identifies the specific versions recommended at a given point in time

...

Identity Provider Vulnerability Matrix

The oldest IdP version unaffected by fixable vulnerabilities is V2.4.4.

VersionEOLUser Data ExposureUser Data AccuracySession HijackingDenial of ServiceRemote ExploitAdvisories
All
 
Aug 2016XX
   



2014-11-03, 2014-06-08, 2014-04-09, 2011-10-24, 2011-07-18, 2009-06-19

2.4.5
 
Aug 2016XX
    




2.4.4
 
Aug 2016XX
    




2.4.3Feb 2015XX
   



2015-02-25
2.4.2Nov 2014XX
 

X
  


2.4.1Sep 2014XX
 

X
 

2014-09-19
2.4.0Aug 2014XX
 

XX2014-08-13
2.3.8Apr 2013XX
 

X
 

2013-04-17, 2013-04-17a
2.3.6 - 2.3.7Jul 2012XX
 

X
  


2.3.2 - 2.3.5Feb 2012XX
 

X
 

2012-02-27
2.3.0 - 2.3.1Jul 2011XX
 

XX2011-07-25
2.2.1May 2011XXXXX2011-05-16
2.2.0Jan 2011XXXXX2011-01-13
2.1.5Sep 2010XXXXX2009-02-24
2.1.1 - 2.1.4Nov 2009XXXXX2009-11-04
2.0.0Dec 2008XXXXX2008-11-03

Service Provider Vulnerability Matrix

The oldest SP version unaffected by fixable vulnerabilities (excepting the advisory from 2016-05-04) is V2.6.0 in conjunction with OpenSAML 2.5.5, Xerces 3.1.4, and OpenSSL 1.0.2h.

VersionEOLUser Data ExposureResource ExposureSession HijackingDenial of ServiceRemote ExploitAdvisories
All
 

XX
  


X

2016-06-29, 2016-05-04, 2014-06-08, 2014-04-09, 2013-12-02, 2011-10-24

2.6.0
 

XX
    




2.5.6Jun 2016XX
  


X
 

2.5.5Feb 2016XX
  


X
 

2.5.4Jul 2015XX
 

XX2015-07-21
2.5.3Mar 2015XX
 

XX2015-03-19

2.5.2

Dec 2013XX
 

XX
 

2.5.0 - 2.5.1June 2013XX
 

X
 

2013-06-18, 2013-01-10
2.4.3Nov 2012XX
 

XX2012-04-19
2.4.0 - 2.4.2Jul 2011XX
 

XX2011-07-25, 2011-07-06
2.3.0 - 2.3.1Dec 2010XX
 

XX
 

2.2.1Nov 2009XXXXX2009-11-04, 2009-08-26
2.2.0Aug 2009XXXXX2009-08-17
2.0.0 - 2.1.0Jun 2009XXXXX2009-06-15

Advisory List

DateTitleAffectsSeverityCVE
2016-06-29

Apache Xerces-C XML Parser Crashes on Malformed DTD

SP w/ Xerces-C < 3.1.4mediumCVE-2016-4463
2016-05-04

Shibboleth SP software <PathRegex> feature implemented incorrectly

SP (all released versions)high
 

2016-02-25Apache Xerces-C XML Parser Crashes on Malformed InputSP w/ Xerces-C < 3.1.3highCVE-2016-0729
2015-07-21

Shibboleth SP software crashes on well-formed but invalid XML

SP w/ xmltooling < 1.5.5, libsaml < 2.5.5mediumCVE-2015-2684
2015-03-19

Shibboleth SP software crashes on malformed input messages

SP < 2.5.4, Xerces-C < 3.1.2mediumCVE-2015-0252
2015-02-25

Identity Provider and OpenSAML-J PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation

IDP < 2.4.4, OpenSAML-J < 2.6.5high
 

2014-11-03

Xerces-J XML Parser Vulnerable to Denial of Service

IDP with Xerces endorsedmediumCVE-2013-4002
2014-09-19

Shibboleth Identity Provider and OpenSAML-J HTTPS and LDAPS Connections Do Not Perform Proper Hostname Verification

IDP < 2.4.2, OpenSAML-J < 2.6.3high

CVE-2014-3604

CVE-2014-3607

2014-08-13

HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification

IDP < 2.4.1, OpenSAML-J < 2.6.2medium

CVE-2014-3603

2014-06-08OpenSSL MITM issueSP with any affected OpenSSL version, IDP w/ OpenSSL 1.0.1 - 1.0.1ghighCVE-2014-0224
2014-04-09OpenSSL "Heartbleed" vulnerability

SP or IDP w/ OpenSSL 1.0.1 - 1.0.1f

very high

CVE-2014-0160

2013-12-15OpenSAML Java ParserPool and Decrypter Vulnerable To XML AttacksOpenSAML-J < 2.6.1medium
 

2013-12-02Curl library skips TLS server certificate name checkingSP w/ libcurl between 7.18.0 and 7.33.0lowCVE-2013-4545
2013-06-18

Shibboleth SP heap overflow processing InclusiveNamespace PrefixList

SP w/ libxml-security-c < 1.7.1highCVE-2013-2156
2013-04-17

Identity Provider HTTP-based Metadata Providers did not perform hostname verification

IDP < 2.4.0medium
 

2013-04-17

Identity Provider issue In Metadata Providers with 'disregardSslCertificate' option

IDP < 2.4.0medium
 

2013-01-10

Shibboleth SP software crashes on malformed IdP History Cookie

SP w/ libsaml 2.5.0 or 2.5.1low
 

2012-04-19

OpenSSL ASN1 BIO vulnerability

SP w/ openssl < 1.0.0ihigh

CVE-2012-2110

2012-02-27Identity Provider LDAPS Connections Do Not Perform Hostname VerificationIDP < 2.3.6high
 

2011-10-24Use of XML Encryption Vulnerable to Chosen Ciphertext AttacksSP and IdP, all versionsmedium
 

2011-07-25OpenSAML software is vulnerable to XML Signature wrapping attacksIDP < 2.3.2
SP w/ libsaml < 2.4.3
high

CVE-2011-1411

2011-07-18Multi-Session Information LeakageIDP >= 2.1medium
 

2011-07-06Shibboleth SP software crashes on large signing/encryption keysSP w/ libxml-security-c < 1.6.1high

CVE-2011-2516

2011-05-16Velocity templates vulnerable to XSS (cross-site scripting) injectionIDP < 2.3.0high
 

2011-01-13Shibboleth IdP 2.X Single TransientID Mapped to Multiple PrincipalsIDP < 2.2.1high
 

2009-11-04Shibboleth software improperly handles malformed URLsIDP < 2.1.5
SP < 2.3
high

CVE-2009-3300

2009-08-26Shibboleth SP software improperly handles malformed URLsSP w/ libxmltooling < 1.2.2high
 

2009-08-17Shibboleth SP software improperly evaluates KeyDescriptorsSP < 2.2.1low
 

2009-08-17Shibboleth SP software improperly handles certificate namesSP < 2.2.1 or w/ libcurl < 7.19.6high
 

2009-06-19Potential Access to Sensitive Information when Clustering Shibboleth 2.X IdPsIDP, all versions w/ Terracottamedium
 

2009-06-15Shibboleth SP software on IIS vulnerable to header spoofingSP < 2.2 w/ IIS, but see thishigh
 

2009-02-24Shibboleth IdP 2.X cross-site request attackIDP < 2.2.0high
 

2008-11-03Shibboleth IdP 2.0 UsernamePassword Login Handler Vulnerable to Cross-site Request AttackIDP < 2.1.0high