CVE-2022-24129
📋 TL;DR
This SSRF vulnerability in the Shibboleth Identity Provider OIDC OP plugin allows attackers to make arbitrary HTTP requests to third-party services by manipulating the request_uri parameter. It affects organizations using Shibboleth Identity Provider with the OIDC plugin before version 3.0.4. Attackers could potentially access internal services or perform data exfiltration.
💻 Affected Systems
- Shibboleth Identity Provider OIDC OP plugin
📦 What is this software?
Oidc Op by Shibboleth
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network, potentially leading to full network compromise.
Likely Case
Attackers could probe internal services, access metadata from cloud providers, or interact with internal APIs to gather information or perform limited actions.
If Mitigated
With proper network segmentation and egress filtering, impact would be limited to information disclosure from accessible services only.
🎯 Exploit Status
Exploitation requires access to the OIDC endpoint but no authentication to the vulnerable plugin itself. Public proof-of-concept code exists in advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.4
Vendor Advisory: http://shibboleth.net/community/advisories/secadv_20220131.txt
Restart Required: Yes
Instructions:
1. Download OIDC OP plugin version 3.0.4 or later from official Shibboleth repositories. 2. Replace the existing plugin JAR file in your Shibboleth IdP installation. 3. Restart the Shibboleth Identity Provider service.
🔧 Temporary Workarounds
Restrict request_uri parameter
allConfigure the plugin to only allow request_uri values from trusted domains or disable the parameter entirely if not needed.
Modify OIDC plugin configuration to set 'requestUriAllowedDomains' to trusted domains only
Network egress filtering
allImplement strict outbound firewall rules to limit the Shibboleth server's ability to make external HTTP requests.
Configure firewall to restrict outbound HTTP/HTTPS from Shibboleth server to only necessary destinations
🧯 If You Can't Patch
- Disable the OIDC plugin entirely if not required for your deployment
- Implement web application firewall rules to block malicious request_uri parameter values
🔍 How to Verify
Check if Vulnerable:
Check the version of the OIDC OP plugin JAR file in your Shibboleth IdP installation. Versions before 3.0.4 are vulnerable.Check Version:
java -jar oidc-op.jar --version (or check JAR file metadata)Verify Fix Applied:
Verify the plugin JAR file version is 3.0.4 or later and test that request_uri parameter restrictions are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Shibboleth server
- Request_uri parameter values pointing to unexpected domains
Network Indicators:
- HTTP requests from Shibboleth server to unusual external IPs or domains
- Pattern of requests to internal services from Shibboleth server
SIEM Query:
source="shibboleth" AND (uri="*request_uri=*" OR method="GET" AND uri="*http*")🔗 References
- http://shibboleth.net/community/advisories/
- http://shibboleth.net/community/advisories/secadv_20220131.txt
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
- http://shibboleth.net/community/advisories/
- http://shibboleth.net/community/advisories/secadv_20220131.txt
- https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220127-01_Shibboleth_IdP_OIDC_OP_Plugin_SSRF
