Updated Mar. 1, 2018
There is another serious vulnerability in the Shibboleth Service Provider package which permits an edited SAML assertion sent from the identity provider to be accepted by the service provider. The signature on the assertion is ignored.
Recommendation:
- Upgrade XMLTooling-C library v1.6.4 or later and restart shibd and webserver for Linux distributions. In January 2018, the announcement was to upgrade to XMLTooling-C library v1.6.3 – since then this version was found to be broken.
- See Reference below for Windows systems recommendations.
Mitigations:
Many SPs are accepting encrypted assertions, which makes it impossible to edit the XML assertion. However, the patch is still recommended. ISEA is working to ensure all SAML assertions are encrypted.
Reference:
https://shibboleth.net/community/advisories/secadv_20180112.txt
https://shibboleth.net/community/advisories/secadv_20180227.txt