Security Alerts - Security Advisory for Shibboleth Service Providers (17 March 2021)

Security stuff

Security Advisory for Shibboleth Service Providers (17 March 2021)

On 17 March 2021 a Shibboleth Service Provider vulnerability was announced which exposes the software to phishing attacks.

Shibboleth has advised that this vulnerability was of moderate severity.

The AAF team has patched SP internally, spanning across a range of products and services including Rapid IdP, Rapid Connect, VHO, VerifID Global and Validator.

Affected Versions

All subscribers who run Shibboleth SP (version 3.2.0 or older) in the Federation

Recommended Action

Upgrade Shibboleth SP to version 3.2.1+

View the official security advisory


See all known vulnerabilities: https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories

Please note that Rapid Connect (https://rapid.aaf.edu.au/) users are already protected and no further action is required.

Upgrading Shibboleth SP can be achieved by software package update (e.g. yum, apt, rpm, depending on distribution) or manual install via https://shibboleth.net/downloads/service-provider/

Login or Signup to post a comment

Newsletter Sign-up

To receive regular updates from AAF:
Add Me to the General List or Add Me to the Technical List or Add Me to the ORCID mailing list