cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
[cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711)
Chronological Thread
- From: Terry Fleury <tfleury@illinois.edu>
- To: cv-announce@trustedci.org
- Subject: [cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711)
- Date: Mon, 2 Apr 2018 17:52:26 -0500
CI Operators:
Several vulnerabilities have been identified in the SimpleSAMLphp application [1] and its associated saml2 library [2]. Updated RPMs have been released for RedHat/CentOS 6/7. Check your distribution for updated packages. Vulnerabilities: [3] A timestamp in a SAML document can contain an arbitrarily large number of digits, causing the regular _expression_ parser to choke, resulting in Denial of Service (DoS). [4] & [5] Improper signature validation allows an attacker to craft an arbitrary SAML assertion, resulting in the ability to impersonate another user. Remediation: Upgrade to the latest versions of SimpleSAMLphp and the simplesamlphp/saml2 library. Affected Software: * SimpleSAMLphp < 1.15.4 * simplesamlphp/saml2 3.x < 3.1.4 * simplesamlphp/saml2 2.x < 2.3.8 * simplesamlphp/saml2 1.x < 1.10.6 References: [1] https://github.com/simplesamlphp/simplesamlphp [2] https://github.com/simplesamlphp/saml2 [3] https://simplesamlphp.org/security/201801-01 [4] https://simplesamlphp.org/security/201802-01 [5] https://simplesamlphp.org/security/201803-01 How Trusted CI can help: The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community. |
- [cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711), Terry Fleury, 04/02/2018
Archive powered by MHonArc 2.6.24.