UAA Release Notes 4.7.1
Known Issue
This release introduces a breaking change around SSL hostname verification for self-signed SAML and OIDC connections that has been addressed in 4.7.2
The update of the httpclient dependency introduced SSL hostname verification which checks alternative names or the certificate CN to prevent man-in-the-middle attacks. This affects the following identity provider configurations, which will require the target to have a self-signed certificate with valid alternative names or certificate CN:
- OIDC identity providers during the login flow
- SAML identity providers during the SAML metadata exchange, where the metadata location is provided as an URL and not uploaded as a file
In addition, MySQL JBDC connections will now perform SSL Hostname Verification when SSL is enabled. The driver checks against the server's identity as presented in the server's certificate (checking alternative names or the certificate CN) to prevent man-in-the-middle attacks. Valid certificates will not be affected.
Notes
This is a security release addressing the following issues:
Additionally, UAA dependencies have been updated:
- tomcat and tomcat jdbc pool to 8.5.23
- Spring Security LDAP 2.3.2
- commons fileupload to 1.3.3
- antisamy to 1.5.7
- Apache Velocity to 2.0
- xalan to 2.7.2
- beanutils 1.9.3
- Spring Framework 4.3.11
- httpclient to 4.5.3