Prepare to Respond to Critical Vulnerability for Shibboleth Service Providers

ITS Identity and Access Management (IAM) has been notified of a vulnerability in OpenSAML libraries that could expose Shibboleth Service Providers (SPs) to a critical Single Sign On (SSO) forgery/impersonation attack.

The expectation is that a patch to OpenSAML (not yet released) will fix the vulnerability.

Exploitation of the vulnerability exposes the SP to a critical SSO forgery/impersonation attack. This is a full break that likely affects every SP dating back to the original 2.0 release.

Exploitation of the vulnerability has been tested and confirmed in a test environment.

If you own a site that uses Shibboleth for SSO, plan to take action when the vulnerability details and updates are released.

Technical details have not been released.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Please contact ITS Information Assurance through the ITS Service Center.