A vulnerability has been found in OpenSAML, a so-called XML Signature Wrapping attack. The vulnerability affects OIOSAML.java, since OpenSAML is used in the OIOSAML.java filter. It is neccesary to upgrade to the newest version of the OpenSAML library as well as the newest version of OIOSAML.java.
Details about the security issue in OpenSAML can be found here
No changes has been made to the OIOSAML.java configuration since the last release, so the upgrade can be performanced simply by upgrading the bundled JAR packages. The following steps needs to be performed
1) Download the latest version of OIOSAML.java (link below)
2) Unzip the file - The following files are relevant for the upgrade
Since the last release of OIOSAML.java, only the following files under 'lib' has been changed, and only these files are neccesary for an incremental upgrade
esapi-2.0GA.jar (new dependency)
opensaml-2.3.1.jar -> opensaml-2.5.1.jar
openws-wstrust.jar -> openws-1.4.2.jar
xmltooling-1.2.1.jar -> xmltooling-1.3.2.jar
3) The files (oiosaml, OpenSAML and OpenSAMLs dependencies) needs to be added as dependencies to the application that uses OIOSAML.java - old versions of these files needs to be deleted.
4) When the application has been rebuild, the files are expected to be located under WEB-INF/lib - and it is recommended to verify that the new files are indeed part of the final build, and that any old versions are deleted. The demo-application bundled with OIOSAML.java can be used as a reference-point for this.
Service Providers connected to the NemLog-in IdP will receive information about this upgrade from the NemLog-in support in SKAT
Filer og referencer