The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

This wiki page is a work in progress and will be updated as new information is received and processed.

The Heartbleed Bug

A major new threat is sweeping the Internet. The Heartbleed Bug, announced publicly on April 7, 2014, is a serious vulnerability that affects certain versions of OpenSSL in circulation since 2012.

Recommended Actions

If your SAML deployment relies on an affected version of OpenSSL, it is recommended that you take the following actions to mitigate the vulnerability:

  1. Patch the affected version of OpenSSL
    1. Follow the OS vendor's instructions to upgrade OpenSSL to the latest version
  2. Revoke your browser-facing TLS certificate
    1. Configure the system with a new trusted TLS key and certificate
  3. Revoke your SAML certificate in metadata
    1. Migrate a new certificate into metadata

When all but the final step above have been completed, follow these additional steps to migrate a new certificate into metadata:

  1. Read the X.509 Certificates in Metadata wiki page
    1. Use a long-lived, self-signed certificate
  2. IdP operators: Read the IdP Key Handling wiki page (SP owners might also benefit from reading this page)
    1. Handle the private IdP signing key securely!
  3. Read the Certificate Migration wiki page and its child pages
    1. Unless there is evidence that your IdP signing key has been compromised, migrate a new certificate into metadata, do not simply replace the old certificate (which will adversely affect interoperability).
    2. Assuming your SP partners follow InCommon recommendations with respect to Metadata Consumption, wait at least 24 hours for newly updated metadata to propagate throughout the Federation.

Note Well!

To the extent that you believe your system is vulnerable to The Heartbleed Bug, we provide the above noted guidance. Due to the unique nature of each affected system, you are of course the best source for determining solutions that meet the needs of a given system.

Implementation-specific Information

If you deploy the Shibboleth SP on Windows, versions 2.5.0 (or later), consult the Shibboleth Security Advisory issued on 9 April 2014.

SimpleSAMLphp deployments may be particularly vulnerable. Please read the entire thread entitled "heartbleed and SimpleSAMLphp" on the simpleSAMLphp mailing list.

Resources

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels