**Page description appears here**


Security advisories OpenAthens Service maintenance schedule feed

26 February 2016 - CRITICAL glibc vulnerability

A CRITICAL security vulnerability has recently been detected in the GNU C Library (also known as glibc or libc6) which is fundamental to the Linux operating system OpenAthens LA runs on. Left untreated, this vulnerability could allow a remote attacker to force a system crash or in some circumstances to execute arbitrary code on affected systems.

Who does this impact?

Customers using our OpenAthens LA product.

How do I fix it?

You will need to patch any OpenAthensLA runtime and if applicable proxy server(s) by running the following command on each server from the command line. This will update the impacted libraries:

yum clean all

yum -y update glibc*

If you require further information, help or advice, please do not hesitate to contact the OpenAthens Service Desk via email, phone +44 (0) 1225 474333 or using our call logging system here: https://www.eduserv.org.uk/support/openathens.

17 October 2014 - SSL 3.0 vulnerability

A security vulnerability in SSL 3.0 has been identified that allows attackers to decrypt and steal data sent between users and servers. The most likely effect of exploiting this vulnerability would be to steal a user's session cookies that would allow them to login to a website account without knowing the password.

How is this issue being addressed?
The likelihood of such an exploit succeeding is considered to be low because SSL 3.0 was deprecated almost fifteen years ago, but most modern browsers still support it. Therefore Eduserv has disabled support for SSL 3.0 on all its web services . No action is required by OpenAthens administrators or their users.

How will this affect me and my users?
Anyone still using IE6, an older browser, or a Windows XP machine could encounter difficulties using any element of the OpenAthens service, and those users may not be able to login at all. The OpenAthens MD administrator interface released earlier in 2014 does not support IE6 so OpenAthens administrators are unlikely to be affected.

Advice for customers using OpenAthens LA
We strongly advise customers reconfigure OpenAthens LA runtimes to disable SSL 3.0. For instructions on how to do this, please see our wiki for details. If you would like assistance with any of the steps involved, please contact the OpenAthens Service Desk.

If you require further information, help or advice, please do not hesitate to contact the OpenAthens Service Desk via email, phone +44 (0) 1225 474333 or using our call logging system here: https://www.eduserv.org.uk/support/openathens

26 September 2014 - UPDATE: Bash vulnerability

A vulnerability was announced on 24 September 2014 in the computer program 'bash'. This enables unauthenticated users to run arbitrary commands, and in some configurations remote code execution is possible. This has been scored the highest possible threat ratings by independent security research bodies, including NIST, for both impact and exploitability. Please see the official CERT-UK website for further details.

Who does this impact?

  • Customers using our OpenAthens LA product which is installed on a Linux based operating system, or using the pre-built virtual machine provided by OpenAthens will need to patch their server(s).

  • Customers using our OpenAthens SP product on non-Windows based operating systems are also advised to apply the relevant patches.

  • The OpenAthens MD and the OpenAthens API services are unaffected, although any website that uses OpenAthens as an authentication service is at risk as described above until it is patched.

How do I fix it?

Running the following command on each at risk server from the command line will update the impacted libraries. Please ensure you have the latest update as the original patch only provided a partial fix. New patches have been made available today (26 September 2014).

sudo yum update bash

If you require further information, help or advice, please do not hesitate to contact the OpenAthens Service Desk via email, phone +44 (0) 1225 474333 or using our call logging system here: https://www.eduserv.org.uk/support/openathens

19 June 2014 - OpenSSL vulnerabilities

On Monday June the 2nd 2014 an update was released to the OpenSSL libraries that fixed the following vulnerabilities:

Further information can be found here:
https://www.openssl.org/news/secadv_20140605.txt


None of the fixes are considered to be in the highest risk category; however upgrading your OpenSSL versions as soon as possible is strongly recommended.

Which OpenAthens products are impacted?
OpenAthens LA - All versions (Runtime and Administration console
OpenAthens SP - all versions
AthensDA - not impacted (however, if you have re-written AthensDA to include any updated OpenSSL libraries that could be affected, then you will need to update these)

No other OpenAthens products are affected by this vulnerability.

How do I fix this?
To fix the vulnerability the OpenSSL library will need to be updated and the web server application restarted. This will make your service unavailable for a short period (normally 2 -3 minutes).

For OpenAthens LA and OpenAthens SP under the Linux Operating System.
1. Logon to the OpenAthens LA runtime server(s) and run the following command to update the libraries on each runtime server:
sudo yum update openssl
2. Restart Apache using the following command:
sudo service httpd restart

Windows software should be updated via your normal process, we recommend speaking to a member of your technical team if you are not familiar with this.

Do I need to do anything else?
No other actions are required.

If you require further information, help or advice, please do not hesitate to contact the OpenAthens Service Desk via email, phone +44 (0) 1225 474333 or using our call logging system here: https://www.eduserv.org.uk/support/openathens

10 April 2014 - Critical OpenSSL vulnerability

How does OpenSSL relate to OpenAthens?

The OpenSSL library is used by many SAML compliant products to securely send and receive data transmissions; this includes some versions of OpenAthens products. On 7th April 2014 the OpenSSL project released a new security advisory for version 1.0.1 of the OpenSSL library. Please see the following links for more information:

https://www.openssl.org/news/secadv_20140407.txt
http://heartbleed.com/

Which OpenAthens products are impacted?
OpenAthens LA 2.2.x - vulnerable (runtime only)
OpenAthens LA 2.1 - not impacted
OpenAthens LA 2.0 - not impacted
OpenAthens SP (Apache module) - vulnerable
OpenAthens SP (Java) - not impacted
OpenAthens SP (.net) - not impacted
AthensDA - not impacted (however, if you have re-written AthensDA to include any updated OpenSSL libraries that could be affected, then you will need to update these)
OpenAthens single sign-on service - not impacted
OpenAthens MD Account Administration website - patched 9 April 2014
OpenAthens MD NHS Account Administration website - patched 9 April 2014
OpenAthens API - patched 9 April 2014
OpenAthens Proxy services - patched 9 April 2014
OpenAthens Documentation website - patched 9 April 2014

No other OpenAthens products are affected by this vulnerability.

How do I fix this?
To fix the vulnerability the OpenSSL library will need to be updated and web server application restarted. This will make your service unavailable for a short period (normally 2 -3 minutes).

OpenAthens LA 2.2.x
1. Logon to the OpenAthens LA runtime server(s) and run the following command to update the libraries on each runtime server:
sudo yum update openssl
2. Restart Apache using the following command:
sudo service httpd restart

OpenAthens SP (Apache module)
1. Run the following command to specifically update the OpenSSL library:
yum update openssl
2. Restart Apache using the following command:
service httpd restart

Do I need to do anything else?
This vulnerability allows an attacker to extract private information from the memory of a vulnerable system. This could include the system's private keys. We therefore highly recommend that once a system has been patched, a new SSL certificate is obtained and a new SAML trust certificate is generated. The new SAML certificate will need to be updated with the OpenAthens service. Please contact the OpenAthens Service Desk for specific advice regarding updating your certificate with our service.

If you require further information, help or advice, please do not hesitate to contact the OpenAthens Service Desk via email or phone +44 (0) 1225 474333.


Note: All times on this page are listed as UK time.