Note that this page has been deprecated. The information it contains is no longer current. |
This wiki page is a work in progress and will be updated as new information is received and processed.
A serious vulnerability has been found to affect many Internet hosts. The Heartbleed Bug, announced publicly on April 7, 2014, affects certain versions of OpenSSL in circulation since 2012. |
The following InCommon servers were not running a vulnerable version of OpenSSL and therefore were not affected by this bug:
The following InCommon server, which serves a single HTML resource, was found to be running a vulnerable version of OpenSSL:
The above server was patched, its TLS certificate was revoked, and a new TLS key and certificate were installed. The content on that server was reviewed and found to be intact. These steps restored the integrity of the HTML resource.
If your SAML deployment relies on an affected version of OpenSSL, you should take the following actions to mitigate that vulnerability:
When all but step 3 above have been completed, follow these additional steps to migrate a new certificate into metadata:
To the extent that you believe your system is vulnerable to The Heartbleed Bug, we provide the above noted guidance. Due to the unique nature of each affected system, you are of course the best source for determining solutions that meet the needs of a given system. |
To ensure that you are receiving metadata updates from partners in a timely manner, review the metadata refresh process of each of your SAML deployments regardless of whether or not it is vulnerable:
If you recently completed the widely publicized Metadata Migration Process, the above issues will have been already addressed.
If you deploy the Shibboleth SP on Windows, versions 2.5.0 (or later), consult the Shibboleth Security Advisory issued on 9 April 2014.
If you are using simpleSAMLphp, we recommend reading the entire thread entitled "heartbleed and SimpleSAMLphp (https://groups.google.com/forum/#\!topic/simplesamlphp/XphXXmVhMVI)" on the simpleSAMLphp mailing list.
For further discussion:
The Internet is unfortunately not as safe and reliable as many people, even among IT experts, tend to believe, and only a joint effort can fix it. (Lessons learned from the Heartbleed incident by Alexei Balaganski)