Update OpenSAML and SimpleSAMLphp for vulnerability

This alert is intended for the U-M Security Community and U-M IT professionals who are responsible for sites that use OpenSAML and SimpleSAMLphp, including Shibboleth Service Provider software. Please share with any website, web application, or web server administrators within your unit, as appropriate.

Summary

Information Assurance (IA) has learned that the vulnerability in SAML libraries that was previously communicated to the Single Sign On Notify group has a wider-ranging impact than previously reported. The vulnerability is in both OpenSAML and SimpleSAMLphp, and affects more than just the Shibboleth Service Provider software.

Note: This alert supersedes the March 13, 2025 IA Alert: Update OpenSAML Library for Critical Vulnerability for Shibboleth Service Providers as new information has become available.

Problem

A high-severity vulnerability in OpenSAML and SimpleSAMLphp has been identified that could allow signature confusion and lead to an SSO forgery/impersonation attack. It can impact all implementations that include them. As a result, OpenSAML and SimpleSAMLphp should be updated to their latest versions as soon as possible.

Additionally, the previously communicated mitigation step of removing a line in the Shibboleth SP configuration file does not resolve the critical vulnerability. It is necessary to update OpenSAML to V.3.3.1 to correct the vulnerability.

Threats

Instructions for exploiting the vulnerability have been made public. An attacker exploiting this vulnerability could:

  • Impersonate any user within the Service Provider.
  • Craft a malicious message to make the software do things that should not be done.

Affected Versions

  • OpenSAML versions prior to 3.3.1
  • SimpleSAMLphp versions prior to 2.3.7
    Examples of implementations that include SimpleSAMLphp Software are (not an exhaustive list):
    • WP SAML Auth WordPress plugin
    • Drupalauth Drupal module
    • simpleSAML Drupal module
      Note: The SAMLauth Drupal module and miniorange-saml-20-single-sign-on WordPress plugin do not use SimpleSAMLphp and do not require action.

Action Items

Update to these software versions as soon as possible:

  • OpenSAML version 3.3.1
  • SimpleSAMLphp 2.3.7 

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

ITS will send a document next week for tracking the completions of updates. Be prepared to complete the tracking document.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.