New versions of the Jetty java servlet engine have been released for the 9.2.x, 9.3.x, and 9.4.x branches. These versions address five security vulnerabilities.
As a result, all deployers of the Shibboleth Identity Provider software utilizing Jetty (the default in IdP 3.0+) must deploy these updates.
Please note that these security vulnerabilities do NOT impact Shibboleth Service Providers.
If you have deployed Shibboleth IdP on Linux using the recommended instructions, you will need to manually redeploy Jetty to ensure that you are running the latest version of either Jetty 9.2 or 9.3:
Please note that these security vulnerabilities do NOT impact Shibboleth Identity Providers deployed using the Tomcat Servlet Engine.
The Shibboleth Consortium has announced a Windows -only service release for Shibboleth Identity Provider (IdP) taking the latest version of the IdP for Windows to v. 126.96.36.199.
This service update deploys a new version of Jetty which corrects the vulnerabilities outlined in the security advisory.
The update can be downloaded here.
Nature of the Vulnerabilities
The vulnerabilities are with various components of the Jetty Servlet Engine. For more information on the scope of the vulnerabilities, see the official announcement posting on the Jetty forums.
IDM Integration is always available to assist with your emergency patch or with planning updates for your Shibboleth or SAML-based Single Sign On (SSO) Infrastructure. Contact us to schedule a consultation with one of our Shibboleth Exports regarding your environment or planning your Identity Provider upgrade today!
Shibboleth IdP version 3.0 was released on December 22, 2014. Detailed documentation on Shibboleth IdP v3 can be found on the Shibboleth wiki.
With the Shibboleth Consortium expected to announce the end date for the V2 Identity Provider soon, it is worth moving to Shibboleth IdP V3 for new deployments. If you are running Shibboleth IdP V2, you may want to start planning your upgrade to V3.
You can find the most up-to-date list of system requirements here. While there are no specific operating system requirements, Linux, OS X and Windows are recommended. Oracle Java or OpenJDK versions 7 and 8 are the supported Java environments, and only Tomcat 8.x and Jetty 9.2.x are officially supported servlet containers.
What’s New in IdP V3?
Internet2’s recent press release does a good job of summarizing the key features of Shibboleth IdP V3:
- uApprove integration, which provides individuals with information about the attributes requested by service providers and gives individuals the ability to control attribute release
- Built-in support for CAS, which means IdP V3 can handle both on-campus SSO and federated authentication to access external SAML-protected services
- Ability to support multiple algorithms for signing and encryption simultaneously, allowing organizations to increase the security of their transactions without compromising compatibility with older systems
- Built-in next generation federation features such as the emerging Metadata Query Protocol, allowing on-demand metadata lookup that is replacing the need to compile ever-larger metadata aggregates
- Support for internationalizing user interface and error messages
The Shibboleth wiki has more detail on all of the changes you can expect from IdP V3.
We are excited about Shibboleth IdP V3, and we are ready to help you plan your upgrade or new installation. We have flexible support options to help you get past configuration issues as well as comprehensive support options for your IdP environment.
Keep an eye on our blog for more articles to help you make the transition from Shibboleth IdP V2 to V3.