Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711)


Chronological Thread  
  • From: Terry Fleury <tfleury@illinois.edu>
  • To: cv-announce@trustedci.org
  • Subject: [cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711)
  • Date: Mon, 2 Apr 2018 17:52:26 -0500

CI Operators:
Several vulnerabilities have been identified in the SimpleSAMLphp application [1] and its associated saml2 library [2]. Updated RPMs have been released for RedHat/CentOS 6/7. Check your distribution for updated packages.
Vulnerabilities: [3] A timestamp in a SAML document can contain an arbitrarily large number of digits, causing the regular _expression_ parser to choke, resulting in Denial of Service (DoS). [4] & [5] Improper signature validation allows an attacker to craft an arbitrary SAML assertion, resulting in the ability to impersonate another user.
Remediation: Upgrade to the latest versions of SimpleSAMLphp and the simplesamlphp/saml2 library.
Affected Software: * SimpleSAMLphp < 1.15.4 * simplesamlphp/saml2 3.x < 3.1.4 * simplesamlphp/saml2 2.x < 2.3.8 * simplesamlphp/saml2 1.x < 1.10.6
References: [1] https://github.com/simplesamlphp/simplesamlphp [2] https://github.com/simplesamlphp/saml2 [3] https://simplesamlphp.org/security/201801-01 [4] https://simplesamlphp.org/security/201802-01 [5] https://simplesamlphp.org/security/201803-01
How Trusted CI can help: The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


  • [cv-announce-l] SimpleSAMLphp Vulnerabilities (CVE-2018-6519/CVE-2018-7644/CVE-2018-7711), Terry Fleury, 04/02/2018

Archive powered by MHonArc 2.6.24.

Top of Page