Red Hat Single Sign-On 7.3 Update 4 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.3 will continue until RH-SSO 7.4 is released, and at that time maintenance will be delivered on RH-SSO 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 3.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 4. See the JBoss Enterprise Application Platform 7.2 Update 4 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 4
Noteworthy Changes
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10899 | Authorization Services | Uploading scripts through the UMA Policy Endpoint is deprecated and will be removed in a future release. |
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-14832 | Admin - REST API | Cross-realm user access auth bypass. See Content from issues.jboss.org is not included.KEYCLOAK-10822 |
| CVE-2019-14820 | Adapter - Java - Wildfly (EAP 7) | Removed OIDC adapter k_version endpoint. Information exposure vulnerability because keycloak adapter endpoints were exposed via arbitrary URLs. See Content from issues.jboss.org is not included.KEYCLOAK-11459 and Content from issues.jboss.org is not included.KEYCLOAK-8785. |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-11459 | Adapter - Java - Wildfly (EAP 7) | Removed OIDC adapter k_version endpoint. |
| Content from issues.jboss.org is not included.KEYCLOAK-11367 | Admin - Console, Admin - REST API | Credentials tab on clients can only be displayed with view-realm |
| Content from issues.jboss.org is not included.KEYCLOAK-11301 | User Federation - LDAP | lock issue with MySQL in /auth/admin/realms/{realm}/groups/{group}/members with LDAP Storage |
| Content from issues.jboss.org is not included.KEYCLOAK-11149 | Distribution | Removed unused Struts v2 jar shipped with RHSSO 7.3 source zip |
| Content from issues.jboss.org is not included.KEYCLOAK-11001 | Authenticator | OCSP validation fails if there is no intermediate CA in the client certificate |
| Content from issues.jboss.org is not included.KEYCLOAK-10972 | Server | Support identity brokering with OpenShift v4 |
| Content from issues.jboss.org is not included.KEYCLOAK-10956 | Server | Make AuthenticationSessionModel available in EventListenerProvider SPI |
| Content from issues.jboss.org is not included.KEYCLOAK-10822 | Admin - REST API | Prevent access to users from another realm |
| Content from issues.jboss.org is not included.KEYCLOAK-10550 | User Federation - LDAP | Synchronization large number of LDAP groups is very slow |
| Content from issues.jboss.org is not included.KEYCLOAK-10464 | Authorization Services | CIP not properly resolving objects from JSON request body |
| Content from issues.jboss.org is not included.KEYCLOAK-10329 | Adapter - Java | Keycloak uses a different credential instance on each request when creating the subject in JAAS/PicketBox integration |
| Content from issues.jboss.org is not included.KEYCLOAK-10224 | Adapter - NodeJS | Vulnerable dependency in keycloak-nodejs-connect |
| Content from issues.jboss.org is not included.KEYCLOAK-11510 | Distribution (RPM) | rh-sso7-libunix-dbus-java added to 7.3 repo for RHEL7 |
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10363 | Server | SSSD integration does not work on RHEL 8 because the JNA package is not available in the baseos repository. The JNA package is available within the codeready repository. As a workaround the "codeready-builder-for-rhel-8-x86_64-rpms" repository should be enabled by the command subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms |
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Server, Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
| Content from issues.jboss.org is not included.KEYCLOAK-11560 | Server | Low limit on the length of USER_ENTITY.ID field in the DB schema (50 characters). This might be insufficient in some cases, for example in case of federated users which also contain the prefix of their federated store in their ID. |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.