CAF – Security Advisory for Shibboleth Service Providers

A security advisory for the Shibboleth Service Provider software was published for both Linux and Windows platforms.

The Shibboleth Service Provider software is vulnerable to forged user attribute data, which could facilitate user impersonation that exposes protected information.

To mitigate the risk, we urge Service Providers participating in CAF or using the software local to their institution to act swiftly on the guidance in the advisory.

To Mitigate: Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, etc.)

Additional details can be found at: