[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[upki-fed:00361] SpringerLinkメンテナンスについて



学認フェデレーション参加大学御中

シュプリンガー・ジャパンの田辺可奈絵と申します。

下記の件を受けて、弊社では以下の通りSpringerLinkのメンテナンスを行いますので
お知らせいたします。

SpringerLink Shibboleth Updateメンテナンス
2011年8月5日(金) 3:00AM-7:00AM
この間、Shibbolethを除く他全てのSpringerLink機能はご利用いただけます。
Shibbolethログイン機能のみがdisableとなります。
---------
MetaPress has scheduled maintenance on the Shibboleth login feature on Thursday, August 4, 2011 from 1:00 PM - 5:00 PM Central Daylight Time (UTC - Thursday, August 4, 2011 at 18:00:00 - Thursday, August 4, 2011 at 22:00:00). SpringerLink will be available during this time and all IP recognition, Athens logins, and personal MetaPress account logins will work. Only Shibboleth will be disabled.
---------

どうぞよろしくお願いいたします。

シュプリンガー・ジャパン
田辺可奈絵
xxxxxxxxxxxx@xxxxxxxxxxxx
-----Original Message-----
From: xxxxxx@xxxxxxxxx [mailto:xxxxxx@xxxxxxxxx] 
Sent: Friday, July 29, 2011 6:13 PM
To: xxxxxxxx@xxxxxxxxx
Subject: [upki-fed:00360] 【学認情報交換ML】Shibboleth Security Advisory [25 July 2011]

国立情報学研究所 学認事務局です。

Shibbolethのセキュリティアドバイザリとして、以下のとおりShibbolethの
脆弱性とその対策について連絡がありましたので、お知らせいたします。

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Shibboleth Security Advisory [25 July 2011]

Updated versions of the Shibboleth Project's OpenSAML software in
Java and C++ are available which correct a security issue.

This general issue affects BOTH Identity and Service Provider
deployments, so a single advisory is being issued for both.

For the Identity Provider, this issue is rated as "important". An
unauthenticated remote attacker could leverage the flaw to obtain
unauthorized access to user data under certain circumstances.

For the Service Provider, this issue is rated as "critical", and
allows an unauthenticated remote attacker to access protected
resources.

Deployers should take immediate steps as outlined in this advisory
and apply the relevant update(s) at the soonest possible moment.

OpenSAML software is vulnerable to XML Signature wrapping attacks
=======================================================================
The Shibboleth software relies on the OpenSAML libraries to perform
verification of signed XML messages such as attribute queries or
SAML assertions. Both the Java and C++ versions are vulnerable to a
so-called "wrapping attack" that allows a remote, unauthenticated
attacker to craft specially formed messages that can be successfully
verified, but contain arbitrary content.

Identity Provider Vulnerability
- -------------------------------
The Identity Provider software relies on the Java version of OpenSAML
and is vulnerable to attacks when XML message signing is used in place
of TLS client authentication for requests such as attribute queries or
SAML artifact resolution. It is also vulnerable to attacks involving
signed AuthnRequest messages, but these are not critical in most
deployments. Some vulnerabilities also exist with use of the extension
that supports delegation of user access, which is not included with the
core software, but available as an add-on.

All versions of the Identity Provider software prior to V2.3.2
ship with a version of OpenSAML containing the vulnerability.

Some mitigation for these attacks is possible by disabling support for
accepting signed messages. See below for information on this option.

Identity Provider Recommendations
- ---------------------------------
Upgrade to V2.3.2 of the Identity Provider software to obtain the
corrected version of OpenSAML (V2.5.1), per the normal upgrade process:

https://wiki.shibboleth.net/confluence/display/SHIB2/IdP2Upgrade

If you cannot upgrade immediately, you may mitigate the attack by
disabling support for message signing in the security policies
defined near the bottom of "relying-party.xml" by commenting out
all <security:Rule> elements with
xsi:type="samlsec:ProtocolWithXMLSignature" and restarting your
Java container.


Service Provider Vulnerability
- ------------------------------
The Service Provider software relies on the C++ version of OpenSAML
and is vulnerable to attacks when handling authentication responses
from IdPs. This allows an attacker to subvert the security of the
system and supply an unauthenticated login identity and data under
the guise of a trusted issuer.

All versions of the OpenSAML library prior to V2.4.3 contain this
vulnerability. Note that this refers to the OpenSAML version, *not*
the Shibboleth version. To determine the version you're using:

- - Windows: check the DLL version for saml2_4.dll in your installation's
lib folder (anything older than saml2_4 is obviously too old)

- - Linux/RPM: Check the package version using "rpm -qa | grep saml"

- - Macport: Use the "port installed" command

Do not rely on log files for version determination, as this can be
inaccurate and may refer to the version against which the software
was compiled.

There are no known mitigations to prevent this attack apart from
applying this update. Deployers should take immediate steps, and
may wish to disable the use of the SP until the upgrade is done.

Service Provider Recommendations
- --------------------------------
Upgrade to V2.4.3 or later of the OpenSAML library and restart the
shibd service/daemon.

Sites relying on official RPM packages or Macports can update via the
yum and port commands respectively, but should manually restart shibd.

The updated library has been built into the Windows installation kits
for V2.4.3 of the SP software, and can be found in the "postinstall"
ZIP kits provided for SP update. *Any* version of the SP since 2.0
can be safely upgraded by unpacking the latest postinstall ZIP
over top of the original software. One exception to this: Windows 2000,
which has not been supported since V2.4 was released.

Note that older Windows installs may not have the latest Microsoft
C/C++ runtime libraries present. Installation kits for both 32-bit and
64-bit runtimes can be found here:

http://shibboleth.net/downloads/service-provider/msredist/

For those using platforms unsupported by the project team directly,
refer to your vendor or package source directly for information on
obtaining the fixed version. If the update from your vendor lags,
you should consider building opensaml from source for your own use
as an interim step.

Credits
- -------
Juraj Somorovsky, Andreas Mayer, Meiko Jensen, Florian Kohlar,
Marco Kampmann, J?rg Schwenk
Horst G?rtz Institute for IT Security,
Ruhr-University Bochum

Thanks to Juraj Somorovsky for working with the developers to
explore and address this issue.

URL for this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

The OpenSAML portion of this advisory has been assigned
CVE-2011-1411 by the National Vulnerability Database.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1411
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)

iEYEAREKAAYFAk4s3dkACgkQpXtW80eQXRVTsACeOQckY5CpcHFtKj7wMzAbNRfY
S8EAoLN4EFztTdYMjmnI9yxdGILMu5v3
=J9lb
-----END PGP SIGNATURE-----

-- 
To unsubscribe from this group, send email to
xxxxxxxxxxxxxxxxxxxx@xxxxxxxxxxxxxx

-- 
===============================================
国立情報学研究所 学術基盤推進部 学術基盤課
    連携基盤チーム 並木
TEL:03-4212-2218 E-Mail:xxxxxx@xxxxxxxxx
===============================================