Further to our advisory of 27 July 2011, the Java and C versions of OpenAthens SP have been fully tested against the XML digital signature attacks identified in the advisory issued by the Shibboleth Project, and we can confirm that neither are vulnerable to these attacks for both SAML 1.1 and 2.0. Therefore SPs using OpenAthens SP v1.x and v2.0 on all platforms are safe from known forms of this type of attack.

However, there has been a vulnerability identified with the SAML 2.0 POST profile for OpenAthens SP v2.0 on the Java platform. The existing build has been withdrawn from the OpenAthens download site and a fixed version has been released. Service providers that have downloaded the software have been contacted directly.

The Eduserv OpenAthens team would like to express their gratitude to Juraj Somorovsky, Andreas Mayer, Meiko Jensen and Jörg Schwenk at Horst Görtz Institute for IT Security, Ruhr-University Bochum for their help in confirming both OpenAthens LA and OpenAthens SP were not affected by the signature wrapping vulnerability mentioned in the Shibboleth Project advisory and for also identifying the OpenAthens SP v2.0 POST vulnerability.

The original advisory can be read here: http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

The OpenSAML portion of this advisory has been assigned CVE-2011-1411 by the National Vulnerability Database. See here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1411

If you have any questions please contact the Eduserv OpenAthens Service Desk at athenshelp@eduserv.org.uk.

Yesterday the Shibboleth Project issued a critical advisory concerning Shibboleth and SAML. The attack is against SAML's use of XML digital signatures and therefore may affect any SAML implementation.

Does this affect OpenAthens? We are currently working with independent security advisors to test OpenAthens SP (native and Java) for the same class of attack. We do not have any further information at present, but should do within the next day or two.

The advisory can be read here: http://shibboleth.internet2.edu/secadv/secadv_20110725.txt

The OpenSAML portion of this advisory has been assigned CVE-2011-1411 by the National Vulnerability Database. See here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1411

If you have any questions please contact the Eduserv AIM Service Desk at athenshelp@eduserv.org.uk.