Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga säkerhetsuppdatering och det är rekommenderat att uppdatera så snart som möjligt.

 

Pål

 

 

From: announce <announce-bounces@shibboleth.net> On Behalf Of Scott Cantor via announce
Sent: Wednesday, May 13, 2026 10:09 PM
To: announce@shibboleth.net
Cc: Scott Cantor <scott@restingparrotsoftware.com>
Subject: Shibboleth Identity Provider Security Advisory [13 May 2026]

 

OpenPGP meddelande

Vänta medan meddelandet verifieras...

Shibboleth Identity Provider Security Advisory [13 May 2026]

The Shibboleth Identity Provider has, for some time, included a
library known as "JavaMail", more recently "JakartaMail", used
by the Logback logging library to support sending log output
via SMTP mail.

A vulnerability in this library, while not deemed critical in
its own right, has led us to make the unusual decision to remove
this library from the IdP distribution due to the risk of a more
serious vulnerability in the future.

The Jakarta Mail vulnerability was recorded as CVE-2025-7962.

 

Injection vulnerability in SMTP Library included with IdP
=========================================================
The Shibboleth Identity Provider dating back to at least V3.0
includes a library not used by the IdP itself but present to
support an optional Logback feature, an SMTP Appender [1]
that supports log output via SMTP.

It is typically used in conjunction with a filter to limit
the use of the feature to specific log messages of particular
import.

The version of the library shipped with recent versions of the
IdP includes a vulnerability, CVE-2025-7962, that allowed
for SMTP injection based on specially crafted log messages.
The most likely vector for exploit would involve logging
that can be influenced by user input.

Because we believe this feature is very little used and because
we are more concerned about the possibility of future exploits
that could be more serious, we have taken the step of removing
this library from a patch release of the IdP and will not be
replacing it with a fixed version.

Recommendations
===============
Update to V5.2.2 (or later) of the Identity Provider software.

If making use of the Logback SMTP Appender feature, inject a fixed
version of the Jakarta Mail library via the IdP's "edit-webapp"
customization mechanism and rebuild the IdP.

See [2] for the project's home page. The self-contained version
of the library that corrects the specific CVE reported is V2.0.2;
note that this is true despite the official CVE claiming otherwise.

Newer versions (V2.1.x) have a separate implementation jar along
with the original API jar. Refer to their documentation for
specifics.

Notably, use this feature at your own risk. We as a project do
not consider it wise to include an SMTP implementation on the
class path given the risk of a more serious issue causing
exfiltration vulnerabilities.

Credits
=======
Philip Brusten

 

[1] https://logback.qos.ch/manual/appenders.html#SMTPAppender
[2] https://jakartaee.github.io/mail-api/

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20260513b.txt