A vulnerability has been found in OpenSAML, a so-called XML Signature Wrapping attack. The vulnerability affects OIOSAML.java, since OpenSAML is used in the OIOSAML.java filter. It is neccesary to upgrade to the newest version of the OpenSAML library as well as the newest version of OIOSAML.java.

Details about the security issue in OpenSAML can be found here

http://secunia.com/advisories/45385

Upgrade Instructions
No changes has been made to the OIOSAML.java configuration since the last release, so the upgrade can be performanced simply by upgrading the bundled JAR packages. The following steps needs to be performed

1) Download the latest version of OIOSAML.java (link below)
2) Unzip the file - The following files are relevant for the upgrade

  oiosaml.java-8330.jar
  lib/*.jar

Since the last release of OIOSAML.java, only the following files under 'lib' has been changed, and only these files are neccesary for an incremental upgrade

  esapi-2.0GA.jar (new dependency)
  opensaml-2.3.1.jar -> opensaml-2.5.1.jar
  openws-wstrust.jar -> openws-1.4.2.jar
  xmltooling-1.2.1.jar -> xmltooling-1.3.2.jar

3) The files (oiosaml, OpenSAML and OpenSAMLs dependencies) needs to be added as dependencies to the application that uses OIOSAML.java - old versions of these files needs to be deleted.

4) When the application has been rebuild, the files are expected to be located under WEB-INF/lib - and it is recommended to verify that the new files are indeed part of the final build, and that any old versions are deleted. The demo-application bundled with OIOSAML.java can be used as a reference-point for this.

NemLog-in
Service Providers connected to the NemLog-in IdP will receive information about this upgrade from the NemLog-in support in SKAT

Filer og referencer