För kännedom!

-- 
jocar
SWAMID Operations

Begin forwarded message:

From: "Cantor, Scott via announce" <announce@shibboleth.net>
Subject: Shibboleth Identity Provider Plugin Security Advisory [12 May 2023]
Date: 15 May 2023 at 18:41:34 CEST
To: "announce@shibboleth.net" <announce@shibboleth.net>
Cc: "Cantor, Scott" <cantor.2@osu.edu>
Reply-To: users@shibboleth.net

Signed PGP part
Shibboleth Identity Provider Plugin Security Advisory [12 May 2023]

An updated version of the OpenID Connect OP plugin for the Shibboleth
Identity Provider is now available which corrects a pair of race
conditions in the client authentication and dynamic registration
features.

Both issues are of "low" severity, and neither is likely to manifest
without significant load on the server.

OpenID Connect OP plugin contains multiple race conditions
======================================================================
A pair of race conditions have been identified in the OP plugin.

The client authentication feature that processes requests from
RP clients to validate access to the OP's endpoints contains a race
condition that under load could result in clients being successfully
validated with a client secret associated with a different client.

This is difficult to exploit due to the lack of predictability, and
would require a client have access to a client secret associated
with a different client being validated at the same time.

A second, less critical race condition was found in the part of the
dynamic client registration support involving metadata policy.
Unknown claims that are intended to be ignored and dropped may be
validated by the wrong policy and could be included in a client's
registration if allowed by the policy applied by mistake.


Recommendations
===============
Update to V3.4.0 or later of the OIDC OP plugin, which is now available.
The IdP's plugin installer can perform this update process.

Note that this plugin requires IdP V4.3, so you may need to patch the
IdP first if you are on an unsupported version.

This minor update includes some changes that may affect a small number of
deployments, so please review the Release Notes [1] when upgrading.


Credits
=======
This issue was discovered by the Shibboleth Project team itself.

[1] https://shibboleth.atlassian.net/wiki/x/AQCCpQ

URL for this Security Advisory:
https://shibboleth.net/community/advisories/secadv_20230512.txt