FreeBSD: VID-B4B7EC7D-CA27-11E7-A12D-6CC21735F730: shibboleth2-sp -- "Dynamic" metadata provider plugin issue
Description
The Internet2 community reports:
The Shibboleth Service Provider software includes a MetadataProvider
plugin with the plugin type "Dynamic" to obtain metadata on demand
from a query server, in place of the more typical mode of
downloading aggregates separately containing all of the metadata to
load.
All the plugin types rely on MetadataFilter plugins to perform
critical security checks such as signature verification, enforcement
of validity periods, and other checks specific to deployments.
Due to a coding error, the "Dynamic" plugin fails to configure
itself with the filters provided to it and thus omits whatever
checks they are intended to perform, which will typically leave
deployments vulnerable to active attacks involving the substitution
of metadata if the network path to the query service is
compromised.
Solution(s)
- freebsd-upgrade-package-shibboleth2-sp
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center