Security Notices and Maintenance
Shibboleth Service Provider Security Advisory (04-May-2016)
Shibboleth has announced a critical security issue that allows an unauthenticated remote attacker to access protected resources, but it affects only a subset of deployers.
Shibboleth SP software
feature implemented incorrectly
The Shibboleth SP software contains a feature to specify protection rules and other settings based on evaluating a regular expression against a portion of the requested URL path. It is used by including a
Note: Deployers that do not make use of the
Check your shibboleth2.xml configuration file for the
• If found, reverse the value (true to false, false to true).
• If not found, add ignoreCase=”false” to the element.
Restarting the web server will not be required to effect the change.
Shibboleth information for this Security Advisory can be found here
More information about this feature can be found on the Shibboleth wiki
Java Version 1.7.0_85 and AAF Metadata loading errors
7 August 2015
The recent Java V.1.7.0_85 release affects Identity Providers causing them to fail to download and refresh the AAF Metadata and their Attribute filter over HTTPS. Once you upgrade Java to V1.7.0_85 you may see errors in your idp-process.log file similar to the one shown below.
https://ds.test.aaf.edu.au/distribution/metadata/metadata.aaf.signed.complete.xml javax.net.ssl.SSLPeerUnverifiedException: SSL peer failed hostname validation for name: 18.104.22.168
If this is the case, your IdP is no longer loading AAF Metadata or its Attribute filters and will require a minor modification to the Java options at start up.
What you need to do:
The solution is to modify the behaviour of the SSL verification your IdP performs when loading files from the AAF distribution service. The default behaviour changed as a result of the Java upgrade and needs to be changed back. This can be done in the Tomcat config file (catalina.sh) by adding the following configuration line:
Once this is done, restart your IdP. The issue will then be resolved for both the AAF Metadata and Attribute filter loading.
For more information about this issue, go to Shibboleth announcements.