Synopsis
Important: Red Hat Single Sign-On 7.3.7 security update
Type/Severity
Security Advisory: Important
Topic
A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.3.7 serves as a replacement for Red Hat Single Sign-On 7.3.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
- libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)
- libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)
- commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)
- xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)
- JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885)
- wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)
- jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)
- netty: HTTP request smuggling (CVE-2019-20444)
- netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)
- netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
- keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).
Affected Products
-
Red Hat Single Sign-On Text-Only Advisories x86_64
Fixes
- BZ - 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
- BZ - 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
- BZ - 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
- BZ - 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
- BZ - 1770615 - CVE-2019-14885 JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command
- BZ - 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
- BZ - 1793154 - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking
- BZ - 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
- BZ - 1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
- BZ - 1798524 - CVE-2019-20444 netty: HTTP request smuggling
- BZ - 1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
CVEs
References
Vulmon