Skip to Content.
Sympa Menu

inc-ops-notifications - [InCommon NOTICE] Important security advisory related to CVE-2018-0489

Subject: InCommon Operations Notifications

List archive

[InCommon NOTICE] Important security advisory related to CVE-2018-0489


Chronological Thread 
  • From: Shannon Roddy <>
  • To:
  • Subject: [InCommon NOTICE] Important security advisory related to CVE-2018-0489
  • Date: Tue, 27 Feb 2018 17:47:11 -0500
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:u3lSxhwuQZoP/03XCy+O+j09IxM/srCxBDY+r6Qd0uoQLvad9pjvdHbS+e9qxAeQG9mDsLQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPbQhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb5Sqw5VDq+46t2URPklDoLPCM9/G3KisF8iaRWqw+jqRNi2Y7ZeJ+bOvpjcK3ec90VS2VOUdpeWSxAGY68c4kCAvAdMepEoYTwpV0Dpga+Cwm2A+PvzydFiGL23aIg1eQhFwbG3Ao9FNwSt3Tbscj6NacPWu2y16nI1zLDYO5L1jb984XIcxYhoe2SUrJqd8re11UvGx3fglqOtIPlIiqY2+IQuGaV6OpgUPigi28hqwxpvzev28AshpPViYISz1DI7Sp5wIcpJd24VU50esSoH4dXtyGfL4d2R9ktQ3t0tyogy70Gv5C7fC8SxJQ8xh7fbuSHc4yW7RL4TumRJDN4hGpleLKnnRqy9lKgyuL6W8Kp01hKtjJInsfWuXwRyhDe79WLRuZg8kqk1zaC2Bzf5v1BLEA6i6XWJJ8sz7s1m5cRrUjOGjf6lFv3gaOKa0kp/+yl5uf9bbjjqZKROZN4hh37P6s0gcOyDvg0Pw0TUGWY9umwyLju8lb3TbhFjvA7l7TWvI7GKcgHo6O1HgFV34c/5xu5Ejyoys4XnWMdI1JAYB+Hj5bmO1XJIP3gFfmyn1OinCt1y/zfI7DvBIvBImHEkLj6Y7lx8UlcyBcvzd9E4JJUF7cBL+/pVk/prtzYCQM5PBKozOb7CdV90YUeVXiIAq+ELKPStViI5uUsI+WWeIAVvzP9J+Ak5/7ok3A5hUcQcbez0pcLdXy1G+lqL1iEbXfpjNcMHnsGshY7QezkllKPXj9eanO3Uq8++j02DJqqDYLZSYCshLyB0j27HppTZm1eEVCMC3DoeJiZVPYMcy+SI8lhkiAaWri7TY8uyw2uuBHgx7V5M+XU5zUUtYj/29ht++3TiRYy+CR1D8Sbz26NSGR0nmYPRz8wxqx/plZ9ylia3ah5hfxXCcVf5/RRUgchLJLcyet6C8zzWgLPf9eGVEypQsmnATE2SNIx2MQDY0J8G9W5khDDxDSmD6UUl7yNGJw77Ljc337vKMZh1XrKzrcugEQ7QpgHCWrznbR4+wTCL4/Pj0iDkau2L+IR0DOe2n2EyD+1vEheVgl2GZ/CUXwOLh/Nt9P16lLqTrmyBK4hPxcbj8OON/0ZOZXSkVxaSaK7a5zlaGWrljLpWBs=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hello,

We are contacting you in order to raise awareness of a critical security
issue. The problem is a general issue with the way XML is processed by
many XML libraries and the associated tooling. Many recipients of this
email will primarily be concerned with this vulnerability due to
Shibboleth being affected, however this is not just a Shibboleth
problem. It is possible and/or likely that other vulnerabilities
related to this will continue to be discovered.

Several CVEs are associated with work by Duo Security [1] researchers in
relation to this bug:

OneLogin - python-saml - CVE-2017-11427
OneLogin - ruby-saml - CVE-2017-11428
Clever - saml2-js - CVE-2017-11429
OmniAuth-SAML - CVE-2017-11430
Shibboleth - CVE-2018-0489
Duo Network Gateway - CVE-2018-7340

SimpleSAMLphp also released a security update today related to XML
signatures, however details are under embargo on their web site [2] at
this time.

It is not currently known whether or not PySAML2 is affected, but we are
making inquiries and will update you when we find out more. For the
moment, there is an ongoing thread in relation to this [5].

On February 27th, the Shibboleth Consortium released a critical security
advisory [3], and a followup to that advisory [4]. The vulnerability is
of greatest concern to Service Providers. In many cases, the
administrators operating these Service Providers may not be subscribed
to channels through which they would see these advisories. It is
important that operators of Service Providers patch for this
vulnerability, and if they would not otherwise be aware of this problem,
that this information be urgently shared with them.

Thank You,
Shannon Roddy
Security Lead, Trust & Identity


[1]
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
[2] https://simplesamlphp.org/docs/stable/simplesamlphp-changelog#section_1
[3] https://marc.info/?l=shibboleth-announce&m=151974009716308&w=2
[4] https://marc.info/?l=shibboleth-announce&m=151974367617676&w=2
[5] https://github.com/IdentityPython/pysaml2/issues/497


  • [InCommon NOTICE] Important security advisory related to CVE-2018-0489, Shannon Roddy, 02/27/2018

Archive powered by MHonArc 2.6.19.

Top of Page