Home » FIM Service Bulletins » Security Advisory for Shibboleth Service Providers

Security Advisory for Shibboleth Service Providers

Posted
on January 31, 2018

A security advisory for the Shibboleth Service Provider software was published for both Linux and Windows platforms.

The Shibboleth Service Provider software is vulnerable to forged user attribute data, which could facilitate user impersonation that exposes protected information.

To mitigate the risk, we urge Service Providers participating in CAF or using the software local to their institution to act swiftly on the guidance in the advisory.

To Mitigate: Upgrade to V1.6.3 or later of the XMLTooling-C library and restart the affected processes (shibd, Apache, etc.)

Additional details can be found at: https://shibboleth.net/community/advisories/secadv_20180112.txt