Shibboleth Identity Provider Plugin Security Advisory [23 October 2024]
An updated version of the OpenID Connect OP plugin for the Shibboleth
Identity Provider is now available which corrects a pair of race
conditions in the authorization/authentication request processing.
Both issues are of "low" severity, and neither is likely to manifest
without significant load on the server.
OpenID Connect OP plugin contains two race conditions
======================================================================
A pair of race conditions have been identified in the OP plugin.
The authorization endpoint that processes requests from RP clients
contains a race condition that under load could result in requests
containing a login_hint and/or resource -parameter value from a
different request.
A wrong login hint value may cause unexpected user experience for
instance in the login page if the login view has been modified to
exploit login hint. Our default login views don't include such
feature.
A wrong resource value may cause invalid target audience in the issued
access token or unexpected user experience if the wrong audience is
invalid for the client. Note that regardless of this bug, the resource
values ultimately processed are validated against the actual client's
metadata.
Recommendations
===============
Update to V4.2.0 or later of the OIDC OP plugin, which is now available.
The IdP's plugin installer can perform this update process. The Release
Notes are available at [1].
Note that this plugin requires IdP V5.0 or newer, so you may need to update
the IdP first if you are on an unsupported version.
Credits
=======
This issue was discovered by the Shibboleth Project team itself.
[1] https://shibboleth.atlassian.net/wiki/x/AQCCpQ
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20241023.txt