Några rekommendationer för den kommentar angående EduGAIN som gavs? 
(utöver att uppgradera till 5.2.2)

Från: Pål Axelsson via Saml-admins <saml-admins@lists.sunet.se>
Skickat: Måndag, 18 maj 2026 08:50
Till: saml-admins@lists.sunet.se <saml-admins@lists.sunet.se>
Ämne: [Saml-admins] FW: Shibboleth Identity Provider Security Advisory [13 May 2026]

Uppdateringen av Shibboleth som kom förra veckan var ett par viktiga säkerhetsuppdateringar och det är rekommenderat att uppdatera så snart som möjligt.

Pål


> -----Original Message-----
> From: announce <announce-bounces@shibboleth.net> On Behalf Of Scott Cantor
> via announce
> Sent: Wednesday, May 13, 2026 10:08 PM
> To: announce@shibboleth.net
> Cc: Scott Cantor <scott@restingparrotsoftware.com>
> Subject: Shibboleth Identity Provider Security Advisory [13 May 2026]
>
> Shibboleth Identity Provider Security Advisory [13 May 2026]
>
> An updated version of the Identity Provider software is available
> which includes explicit features and updated defaults to correct
> a denial of service vulnerability that can cause unconstrained
> resource consumption using XML that exceeds typical limits on
> certain kinds of content.
>
> Updates to OpenSAML are included in this patch, but this advisory
> refers to the specific impact and mitigations for the IdP itself.
>
> A separate advisory is available for OpenSAML alone.
>
> Maliciously crafted XML causes excessive resource consumption
> =============================================================
> While the XML parser in newer versions of Java includes default
> settings that limit certain kinds of malicious content, older
> versions did not and so can be vulnerable to specially crafted
> XML. These default settings are in any case not set low enough
> to be safe in this usage context.
>
> The OpenSAML library's decoding of SAML and SOAP messages is
> unprotected in its default configuration from such content and
> parsing some messages can result in memory and/or CPU exhaustion,
> causing a denial of service in applications using it, including
> the Shibboleth Identity Provider.
>
> Since most XML message types are parsed either without the
> protection of a signature or in advance of evaluating one, the
> exploit does not require an authenticated attacker and so is
> serious, though as a denial of service issue it remains in a
> lower tier of vulnerabilities.
>
> An updated version of the IdP (V5.2.2) is available which
> add new properties that limit parsing of most content that could
> expose the system to attack:
>
> * idp.xml.elementAttributeLimit (default 30)
> * idp.xml.maxElementDepth (default 25)
>
> In addition, the IdP now uses distinct parser settings when parsing
> SAML Metadata that are less strict than those used in general or
> messaging scenarios (and can be independently controlled). This
> allows for unusually crafted Metadata that has been observed in the
> wild by our community.
>
> Finally, the IdP has been enhanced with several new properties that
> can be set to control the size limits on various types of SAML and
> SOAP messages being decoded. Those limits are not enabled by default,
> but are supported in case they are needed in the future.
>
> See also the Releases Notes [1] and documentation [2].
>
> Recommendations
> ===============
> Update to V5.2.2 (or later) of the Identity Provider software. The
> updated default settings are deemed sufficiently safe at this time.
>
> In the event that upgrading is not possible, in most older versions
> one may directly configure new parser attributes directly by overriding
> the Spring bean used to control the parsing performed in most (but
> not all) cases.
>
> To do so, define a bean like so in conf/global.xml:
>
>     <bean id="custom.ParserPool" parent="shibboleth.DefaultParserPool">
>         <property name="builderAttributes">
>             <map>
>                 <entry key="jdk.xml.elementAttributeLimit" value="30" />
>                 <entry key="jdk.xml.maxElementDepth" value="25" />
>             </map>
>         </property>
>     </bean>
>
> Then add a property to conf/idp.properties:
>
>     idp.xml.parserPool = custom.ParserPool
>
> This is not a foolproof solution for various reasons, but it mitigates
> the most common attack vectors.
>
> Note that we do not know the specific older versions of Java that
> support these parser attributes, and they are known to have gone by
> different names in some older versions prior to Java 17. If you are
> on an unsupported, older version, refer to the relevant JAXP parser
> documentation in that Java version for details.
>
> Credits
> =======
> Jens Friess and Haya Schulmann, Goethe University Frankfurt.
>
>
> [1] https://shibboleth.atlassian.net/wiki/x/T4C0vg
> [2] https://shibboleth.atlassian.net/wiki/x/AQDJPQE
>
> URL for this Security Advisory:
> https://shibboleth.net/community/advisories/secadv_20260513.txt
CAUTION: This message was sent from an external sender and the content should be handled carefully

Information about processing of personal data at Mid Sweden University: www.miun.se/en/personaldata