Hello,
We just updated OOD to 4.0.8 in our center and are wondering whether CVE-2025-66029 affects only centers with OIDC or also those that set up OOD auth with Shibboleth, like us?
Thank you,
Misha
Yes it does, or at least it could. You’ll need to update to 4.0.8.
Though I don’t know what headers that you’d need to unset, so that’s why they’re not listed there. If you can provide the authentication headers that Shibboleth sets, then I’d be happy to update the GHSA for the same.
Thank you, Jeff!
(4.0.3) was a typo, and we did update ODD to 4.0.8. Sorry about that!
This is how we set the auth in ood_portal.yml:
auth:
“AuthType shibboleth”
“ShibRequestSetting requireSession 1”
“RequestHeader edit* Cookie "(^shibsession[^;](;\s)?|;\s*shibsession[^;]*)" ""”
“RequestHeader unset Cookie "expr=-z %{req:Cookie}"”
“Require valid-user”
Is there any other place I should look to find the correct headers, like the DevTools in the browser?
Best,
Misha
Yea dev tools on your client browser or a simple echo server to test against.
Hi Jeff,
How about these:
POST /Shibboleth.sso/SAML2/POST HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.9,fa;q=0.8
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 10092
Content-Type: application/x-www-form-urlencoded
Cookie: _ga=GA1.1.859765155.1757704865; _ga_QB2N6FJW1L=GS2.1.s1758215284$o2$g0$t1758215287$j57$l0$h0; _ga_13QNWE5GGX=GS2.1.s1758215285$o2$g0$t1758215287$j58$l0$h0; _ga_SPH6F1RKXY=GS2.1.s1758222459$o2$g1$t1758222769$j60$l0$h0; _ga_B27HBMC8B7=GS2.1.s1758312418$o6$g1$t1758312439$j39$l0$h0; _ga_KYDNSFJH6D=GS2.1.s1758312418$o6$g1$t1758312439$j39$l0$h0; _ga_41CLQ33B17=GS2.1.s1758312418$o5$g1$t1758312439$j39$l0$h0; _ga_7ZEQ959VGG=GS2.1.s1758312418$o5$g1$t1758312439$j39$l0$h0; _opensaml_req_ss%3Amem%3A83eebcef95cf4fb25e57224d7efd5ca86643f18e0326c849e416b19a3ee77ce5=_5a4e1857f92b1c697e2afd3afa2bec89; _opensaml_req_ss%3Amem%3Af72371557e33b206a1fc47da477a2997ea1b840746b7689b09007327e520b9e9=_5671fd1100b2880de2738644ca2be016; _opensaml_req_ss%3Amem%3A5c86f5b7c1661d5f045cf6c61a78d56ac409cfa3db01e930051b8cd9daee93a7=_46dd37df2b74f5a15e4f2f6d785efe3c
DNT: 1
Host: ondemand.hpcc.ttu.edu
Origin: https://idp.shibboleth.ttu.edu
Referer: https://idp.shibboleth.ttu.edu/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
sec-ch-ua: "Not(A:Brand";v="8", "Chromium";v="144", "Google Chrome";v="144"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Please let me know if you need more specific information.
Thank you for helping with this!
Misha
Hi Jeff,
I’m just checking to see if you have any updates on this.
Thank you,
Misha
I think _ga.* is google analytics? Seems like you could edit those.
It also seems like _opensaml_req.* is a Shibboleth related cookie you’d want to edit.
custom_location_directives:
- 'RequestHeader edit* Cookie "_ga.*=[^;]+;" ""'
- 'RequestHeader edit* Cookie "_opensaml_req.*=[^;]+;" ""'
Sorry - had to update the comment above - seems like _opensaml_req.* is a cookie you’d want to edit as well.
Thank you, Jeff,
FY, we also set the following line to the “auth“ section of ood_portal.yml file to enable Shibboleth:
auth:
- "AuthType shibboleth"
- "ShibRequestSetting requireSession 1"
- "RequestHeader edit* Cookie \"(^_shibsession_[^;]*(;\\s*)?|;\\s*_shibsession_[^;]*)\" \"\""
- "RequestHeader unset Cookie \"expr=-z %{req:Cookie}\""
- "Require valid-user"
What do you think of including the same “RequestHeader” lines above in the custom_location_directives?
Misha
I believe auth lines like that act the same as custom_vhost_directives and if I’m not mistaken directives on the vhost apply to all locations as well, i.e., superceding location directives. So I think that’s OK though I’d have to consult the apache documentation to be 100% sure.