Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-2997

Update OpenSAML to V3.4.6

    XMLWordPrintableJSON

Details

    • Dependency upgrade
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 8.0.6
    • 8.0.7, 8.0.8
    • TomEE Core Server
    • None

    Description

      TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 which is vulnerable to security issues mentioned below -

       

      Vulnerability Details

      CVE-2020-27978

      Vulnerability Published: 2020-10-28 11:15 EDT
      Vulnerability Updated: 2020-10-28 12:26 EDT
      CVSS Score: (under review, not scored yet - updates will be reported in issue comments)

      Summary: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.

      BDSA-2019-4785

      Affected Component(s): OpenSAML 2.0
      Vulnerability Published: 2020-10-29 11:37 EDT
      Vulnerability Updated: 2020-10-29 11:37 EDT
      CVSS Score: 6.5 (overall), 7.5 (base)

      Summary: Shibboleth Identity Provider is vulnerable to denial-of-service (DoS) due to improper processing of authentication webflows. An attacker could exploit this vulnerability by supplying a system with maliciously crafted requests.

      ------------

       

      The issue is fixed in version 3.4.6 or later

      Attachments

        1. opensaml_files.png
          16 kB
          Nikhil

        Activity

          People

            rzo1 Richard Zowalla
            somasaninikhil Nikhil
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: