Begin forwarded message: From: "Cantor, Scott via announce" <announce(a)shibboleth.net> Subject: Shibboleth Identity Provider Plugin Security Advisory [12 May 2023] Date: 15 May 2023 at 18:41:34 CEST To: "announce(a)shibboleth.net" <announce(a)shibboleth.net> Cc: "Cantor, Scott" <cantor.2(a)osu.edu> Reply-To: users(a)shibboleth.net Signed PGP part Shibboleth Identity Provider Plugin Security Advisory [12 May 2023] An updated version of the OpenID Connect OP plugin for the Shibboleth Identity Provider is now available which corrects a pair of race conditions in the client authentication and dynamic registration features. Both issues are of "low" severity, and neither is likely to manifest without significant load on the server. OpenID Connect OP plugin contains multiple race conditions ====================================================================== A pair of race conditions have been identified in the OP plugin. The client authentication feature that processes requests from RP clients to validate access to the OP's endpoints contains a race condition that under load could result in clients being successfully validated with a client secret associated with a different client. This is difficult to exploit due to the lack of predictability, and would require a client have access to a client secret associated with a different client being validated at the same time. A second, less critical race condition was found in the part of the dynamic client registration support involving metadata policy. Unknown claims that are intended to be ignored and dropped may be validated by the wrong policy and could be included in a client's registration if allowed by the policy applied by mistake. Recommendations =============== Update to V3.4.0 or later of the OIDC OP plugin, which is now available. The IdP's plugin installer can perform this update process. Note that this plugin requires IdP V4.3, so you may need to patch the IdP first if you are on an unsupported version. This minor update includes some changes that may affect a small number of deployments, so please review the Release Notes [1] when upgrading. Credits ======= This issue was discovered by the Shibboleth Project team itself. [1] https://shibboleth.atlassian.net/wiki/x/AQCCpQ URL for this Security Advisory: https://shibboleth.net/community/advisories/secadv_20230512.txt