Prepare to Respond to Vulnerability in SimpleSAMLphp / safecomputing.umich.edu

Friday, November 22, 2024

This message is intended for the U-M Security Community and individuals who are listed as site owners or contacts for sites that ITS can identify that may be impacted by this vulnerability.

Summary

We have been informed of a vulnerability warning for SimpleSAMLphp and an important update is expected to be released soon. SimpleSAML php is often included in higher-level software, such as authentication plugins/modules for Drupal, WordPress, and other web applications.

We will be contacting owners of websites that may be using SimpleSAML and letting them know that they need to be prepared to apply an update.

We are unable to reliably identify all impacted websites, as this software can be used in ways that may prevent us from identifying its usage. Please forward this advisory to website administrators in your unit who may need to be aware.

Affected Systems

The following list is not exhaustive, but includes what ITS can determine given the information we have at this time.

The following WILL need to be updated:

SimpleSAMLphp library (if you are using it directly in your code)
WP SAML Auth WordPress plugin (if configured for use with SimpleSAMLphp, which is the most common way to use it at U-M; it is not affected if you configured it to use OneLogin)
Drupalauth module for Drupal
simplesaml module for Drupal

The following ARE NOT vulnerable:

samlauth Drupal module
openid_connect Drupal module
Shibboleth WordPress plugin
miniorange-saml-20-single-sign-on WordPress plugin
umichauth-wp WordPress plugin
UMich OIDC Login or Daggerhart OpenID Connect Generic plugin for WordPress.

Action Items

If you own a site that makes use of SimpleSAMLphp, there may be an action you need to take once the vulnerability details and updates are released. Note that updates may be released over the weekend, or early next week.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.