CVE-2017-12871

Name of the Vulnerable Software and Affected Versions SimpleSAMLphp versions 1.14.x through 1.14.11

Description The issue makes it easier for context-dependent attackers to bypass the encryption protection mechanism by leveraging the use of the first 16 bytes of the secret key as the initialization vector (IV) in the aesEncrypt method.

Recommendations For SimpleSAMLphp versions 1.14.x through 1.14.11, consider modifying the aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php to use a secure initialization vector (IV) instead of the first 16 bytes of the secret key. As a temporary workaround, restrict access to the aesEncrypt method until a patch is available.