New OpenSSL vulnerability

Posted on Tuesday, 10 June 2014

The following announcement has just been sent out to everyone listed as a technical or administrative contact for one or more entities registered with the UK Access Management Federation for Education and Research. Its purpose is to inform you of an important security problem which will affect many UK federation members.

YOU SHOULD ENSURE that the material below is reviewed by your technical staff as soon as possible, so that you can minimise the impact of this issue on your services.

Summary

On 2014-06-05, the OpenSSL team disclosed and patched a number of important vulnerabilities in the OpenSSL library. These issues are likely to affect all UK federation SAML deployments to some extent and we strongly recommend that all members take steps to ensure that the version of OpenSSL in use by their deployments is up to date.

The OpenSSL advisory for these issues can be found here:

https://www.openssl.org/news/secadv_20140605.txt

Most current Linux distributions have already made patches for these vulnerabilities available. In addition, the Shibboleth project has released the following advisory relating specifically to Shibboleth software:

http://shibboleth.net/community/advisories/secadv_20140608.txt

Further Steps

Please contact the UK federation helpdesk (service at ukfederation.org.uk) if you have any additional questions about this advisory, or if you need help in determining whether your systems are vulnerable.

-- Ian Young, UK federation Edited by SteveGlover on 10 June 2014, at 09:15 AM