Bug 1518584 (CVE-2017-16853)

Summary:	CVE-2017-16853 opensaml: The DynamicMetadataProvider class does not perform various security checks
Product:	[Other] Security Response	Reporter:	Andrej Nemec <anemec>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	aileenc, bmaxwell, bruno, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, fgavrilo, guido.grazioli, gvarsami, jawilson, jcoleman, jolee, jondruse, jshepherd, kconner, ldimaggi, lgao, loleary, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, rnetuka, rstancel, rsvoboda, rwagner, spinder, tcunning, theute, tkirby, twalsh, vhalbert, vtunka
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	opensaml 2.6.1	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-06-08 03:32:09 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1518585
Bug Blocks:	1518586

Description Andrej Nemec 2017-11-29 09:13:47 UTC

The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicMetadataProvider.cpp in OpenSAML-C in OpenSAML before 2.6.1 fails to properly configure itself with the MetadataFilter plugins and does not perform critical security checks such as signature verification, enforcement of validity periods, and other checks specific to deployments, aka CPPOST-105.

Upstream patch:

https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d

References:

https://shibboleth.net/community/advisories/secadv_20171115.txt

Comment 1 Andrej Nemec 2017-11-29 09:14:43 UTC

Created opensaml tracking bugs for this issue:

Affects: fedora-all [bug 1518585]