6:50 a.m.
Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga
säkerhetsuppdateringar och det är rekommenderat att uppdatera så snart som möjligt.
Pål
-----Original Message-----
From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Scott Cantor
via announce
Sent: Wednesday, May 13, 2026 10:08 PM
To: announce(a)shibboleth.net
Cc: Scott Cantor <scott(a)restingparrotsoftware.com>
Subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
Shibboleth Identity Provider Security Advisory [13 May 2026]
An updated version of the Identity Provider software is available
which includes explicit features and updated defaults to correct
a denial of service vulnerability that can cause unconstrained
resource consumption using XML that exceeds typical limits on
certain kinds of content.
Updates to OpenSAML are included in this patch, but this advisory
refers to the specific impact and mitigations for the IdP itself.
A separate advisory is available for OpenSAML alone.
Maliciously crafted XML causes excessive resource consumption
=============================================================
While the XML parser in newer versions of Java includes default
settings that limit certain kinds of malicious content, older
versions did not and so can be vulnerable to specially crafted
XML. These default settings are in any case not set low enough
to be safe in this usage context.
The OpenSAML library's decoding of SAML and SOAP messages is
unprotected in its default configuration from such content and
parsing some messages can result in memory and/or CPU exhaustion,
causing a denial of service in applications using it, including
the Shibboleth Identity Provider.
Since most XML message types are parsed either without the
protection of a signature or in advance of evaluating one, the
exploit does not require an authenticated attacker and so is
serious, though as a denial of service issue it remains in a
lower tier of vulnerabilities.
An updated version of the IdP (V5.2.2) is available which
add new properties that limit parsing of most content that could
expose the system to attack:
* idp.xml.elementAttributeLimit (default 30)
* idp.xml.maxElementDepth (default 25)
In addition, the IdP now uses distinct parser settings when parsing
SAML Metadata that are less strict than those used in general or
messaging scenarios (and can be independently controlled). This
allows for unusually crafted Metadata that has been observed in the
wild by our community.
Finally, the IdP has been enhanced with several new properties that
can be set to control the size limits on various types of SAML and
SOAP messages being decoded. Those limits are not enabled by default,
but are supported in case they are needed in the future.
See also the Releases Notes [1] and documentation [2].
Recommendations
===============
Update to V5.2.2 (or later) of the Identity Provider software. The
updated default settings are deemed sufficiently safe at this time.
In the event that upgrading is not possible, in most older versions
one may directly configure new parser attributes directly by overriding
the Spring bean used to control the parsing performed in most (but
not all) cases.
To do so, define a bean like so in conf/global.xml:
<bean id="custom.ParserPool"
parent="shibboleth.DefaultParserPool">
<property name="builderAttributes">
<map>
<entry key="jdk.xml.elementAttributeLimit"
value="30" />
<entry key="jdk.xml.maxElementDepth" value="25"
/>
</map>
</property>
</bean>
Then add a property to conf/idp.properties:
idp.xml.parserPool = custom.ParserPool
This is not a foolproof solution for various reasons, but it mitigates
the most common attack vectors.
Note that we do not know the specific older versions of Java that
support these parser attributes, and they are known to have gone by
different names in some older versions prior to Java 17. If you are
on an unsupported, older version, refer to the relevant JAXP parser
documentation in that Java version for details.
Credits
=======
Jens Friess and Haya Schulmann, Goethe University Frankfurt.
[1] https://shibboleth.atlassian.net/wiki/x/T4C0vg
[2] https://shibboleth.atlassian.net/wiki/x/AQDJPQE
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20260513.txt
7:32 a.m.
New subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
Några rekommendationer för den kommentar angående EduGAIN som gavs?
(utöver att uppgradera till 5.2.2)
________________________________
Från: Pål Axelsson via Saml-admins <saml-admins(a)lists.sunet.se>
Skickat: Måndag, 18 maj 2026 08:50
Till: saml-admins(a)lists.sunet.se <saml-admins(a)lists.sunet.se>
Ämne: [Saml-admins] FW: Shibboleth Identity Provider Security Advisory [13 May 2026]
Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga
säkerhetsuppdateringar och det är rekommenderat att uppdatera så snart som möjligt.
Pål
-----Original Message-----
From: announce <announce-bounces(a)shibboleth.net> On Behalf Of Scott Cantor
via announce
Sent: Wednesday, May 13, 2026 10:08 PM
To: announce(a)shibboleth.net
Cc: Scott Cantor <scott(a)restingparrotsoftware.com>
Subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
Shibboleth Identity Provider Security Advisory [13 May 2026]
An updated version of the Identity Provider software is available
which includes explicit features and updated defaults to correct
a denial of service vulnerability that can cause unconstrained
resource consumption using XML that exceeds typical limits on
certain kinds of content.
Updates to OpenSAML are included in this patch, but this advisory
refers to the specific impact and mitigations for the IdP itself.
A separate advisory is available for OpenSAML alone.
Maliciously crafted XML causes excessive resource consumption
=============================================================
While the XML parser in newer versions of Java includes default
settings that limit certain kinds of malicious content, older
versions did not and so can be vulnerable to specially crafted
XML. These default settings are in any case not set low enough
to be safe in this usage context.
The OpenSAML library's decoding of SAML and SOAP messages is
unprotected in its default configuration from such content and
parsing some messages can result in memory and/or CPU exhaustion,
causing a denial of service in applications using it, including
the Shibboleth Identity Provider.
Since most XML message types are parsed either without the
protection of a signature or in advance of evaluating one, the
exploit does not require an authenticated attacker and so is
serious, though as a denial of service issue it remains in a
lower tier of vulnerabilities.
An updated version of the IdP (V5.2.2) is available which
add new properties that limit parsing of most content that could
expose the system to attack:
* idp.xml.elementAttributeLimit (default 30)
* idp.xml.maxElementDepth (default 25)
In addition, the IdP now uses distinct parser settings when parsing
SAML Metadata that are less strict than those used in general or
messaging scenarios (and can be independently controlled). This
allows for unusually crafted Metadata that has been observed in the
wild by our community.
Finally, the IdP has been enhanced with several new properties that
can be set to control the size limits on various types of SAML and
SOAP messages being decoded. Those limits are not enabled by default,
but are supported in case they are needed in the future.
See also the Releases Notes [1] and documentation [2].
Recommendations
===============
Update to V5.2.2 (or later) of the Identity Provider software. The
updated default settings are deemed sufficiently safe at this time.
In the event that upgrading is not possible, in most older versions
one may directly configure new parser attributes directly by overriding
the Spring bean used to control the parsing performed in most (but
not all) cases.
To do so, define a bean like so in conf/global.xml:
<bean id="custom.ParserPool"
parent="shibboleth.DefaultParserPool">
<property name="builderAttributes">
<map>
<entry key="jdk.xml.elementAttributeLimit"
value="30" />
<entry key="jdk.xml.maxElementDepth" value="25"
/>
</map>
</property>
</bean>
Then add a property to conf/idp.properties:
idp.xml.parserPool = custom.ParserPool
This is not a foolproof solution for various reasons, but it mitigates
the most common attack vectors.
Note that we do not know the specific older versions of Java that
support these parser attributes, and they are known to have gone by
different names in some older versions prior to Java 17. If you are
on an unsupported, older version, refer to the relevant JAXP parser
documentation in that Java version for details.
Credits
=======
Jens Friess and Haya Schulmann, Goethe University Frankfurt.
[1] https://shibboleth.atlassian.net/wiki/x/T4C0vg
[2] https://shibboleth.atlassian.net/wiki/x/AQDJPQE
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20260513.txt
CAUTION: This
message was sent from an external sender and the content should be handled carefully
Information about processing of personal data at Mid Sweden University:
www.miun.se/en/personaldata<https://www.miun.se/en/personaldata>
7:57 a.m.
New subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
Hej.
Gällande eduGAIN så är det väl att inte hämta deras feed direkt utan att nyttja den feed
som Swamid har.
eduGAIN håller på att minsta antalet ns, vilket väl var problemet du hänvisar till.
Kontrollerade just nu och de har fortfarande 53 olika. Swamid har 19 olika.
// Björn M.
On 18 May 2026, at 09:32, Roger Mårtensson
<Roger.Martensson(a)miun.se> wrote:
Några rekommendationer för den kommentar angående EduGAIN som gavs?
(utöver att uppgradera till 5.2.2)
Från: Pål Axelsson via Saml-admins <saml-admins(a)lists.sunet.se
<mailto:saml-admins@lists.sunet.se>>
Skickat: Måndag, 18 maj 2026 08:50
Till: saml-admins(a)lists.sunet.se <mailto:saml-admins@lists.sunet.se>
<saml-admins(a)lists.sunet.se <mailto:saml-admins@lists.sunet.se>>
Ämne: [Saml-admins] FW: Shibboleth Identity Provider Security Advisory [13 May 2026]
Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga
säkerhetsuppdateringar och det är rekommenderat att uppdatera så snart som möjligt.
Pål
-----Original Message-----
From: announce <announce-bounces(a)shibboleth.net
<mailto:announce-bounces@shibboleth.net>> On Behalf Of Scott Cantor
via announce
Sent: Wednesday, May 13, 2026 10:08 PM
To: announce(a)shibboleth.net <mailto:announce@shibboleth.net>
Cc: Scott Cantor <scott(a)restingparrotsoftware.com
<mailto:scott@restingparrotsoftware.com>>
Subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
Shibboleth Identity Provider Security Advisory [13 May 2026]
An updated version of the Identity Provider software is available
which includes explicit features and updated defaults to correct
a denial of service vulnerability that can cause unconstrained
resource consumption using XML that exceeds typical limits on
certain kinds of content.
Updates to OpenSAML are included in this patch, but this advisory
refers to the specific impact and mitigations for the IdP itself.
A separate advisory is available for OpenSAML alone.
Maliciously crafted XML causes excessive resource consumption
=============================================================
While the XML parser in newer versions of Java includes default
settings that limit certain kinds of malicious content, older
versions did not and so can be vulnerable to specially crafted
XML. These default settings are in any case not set low enough
to be safe in this usage context.
The OpenSAML library's decoding of SAML and SOAP messages is
unprotected in its default configuration from such content and
parsing some messages can result in memory and/or CPU exhaustion,
causing a denial of service in applications using it, including
the Shibboleth Identity Provider.
Since most XML message types are parsed either without the
protection of a signature or in advance of evaluating one, the
exploit does not require an authenticated attacker and so is
serious, though as a denial of service issue it remains in a
lower tier of vulnerabilities.
An updated version of the IdP (V5.2.2) is available which
add new properties that limit parsing of most content that could
expose the system to attack:
* idp.xml.elementAttributeLimit (default 30)
* idp.xml.maxElementDepth (default 25)
In addition, the IdP now uses distinct parser settings when parsing
SAML Metadata that are less strict than those used in general or
messaging scenarios (and can be independently controlled). This
allows for unusually crafted Metadata that has been observed in the
wild by our community.
Finally, the IdP has been enhanced with several new properties that
can be set to control the size limits on various types of SAML and
SOAP messages being decoded. Those limits are not enabled by default,
but are supported in case they are needed in the future.
See also the Releases Notes [1] and documentation [2].
Recommendations
===============
Update to V5.2.2 (or later) of the Identity Provider software. The
updated default settings are deemed sufficiently safe at this time.
In the event that upgrading is not possible, in most older versions
one may directly configure new parser attributes directly by overriding
the Spring bean used to control the parsing performed in most (but
not all) cases.
To do so, define a bean like so in conf/global.xml:
<bean id="custom.ParserPool"
parent="shibboleth.DefaultParserPool">
<property name="builderAttributes">
<map>
<entry key="jdk.xml.elementAttributeLimit"
value="30" />
<entry key="jdk.xml.maxElementDepth" value="25"
/>
</map>
</property>
</bean>
Then add a property to conf/idp.properties:
idp.xml.parserPool = custom.ParserPool
This is not a foolproof solution for various reasons, but it mitigates
the most common attack vectors.
Note that we do not know the specific older versions of Java that
support these parser attributes, and they are known to have gone by
different names in some older versions prior to Java 17. If you are
on an unsupported, older version, refer to the relevant JAXP parser
documentation in that Java version for details.
Credits
=======
Jens Friess and Haya Schulmann, Goethe University Frankfurt.
[1] https://shibboleth.atlassian.net/wiki/x/T4C0vg
[2] https://shibboleth.atlassian.net/wiki/x/AQDJPQE
URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20260513.txt
CAUTION: This
message was sent from an external sender and the content should be handled carefully
Information about processing of personal data at Mid Sweden University:
www.miun.se/en/personaldata <https://www.miun.se/en/personaldata>
_______________________________________________
Saml-admins mailing list -- saml-admins(a)lists.sunet.se
<mailto:saml-admins@lists.sunet.se>
To unsubscribe send an email to saml-admins-leave(a)lists.sunet.se
<mailto:saml-admins-leave@lists.sunet.se>
6
days inactive
6
days old
2 comments
3 participants
participants (3)
-
Björn Mattsson -
Pål Axelsson -
Roger Mårtensson