Red Hat Single Sign-On 7.3 Update 6 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.3 will continue until RH-SSO 7.4 is released, and at that time maintenance will be delivered on RH-SSO 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 5.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 5. See the JBoss Enterprise Application Platform 7.2 Update 5 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 6
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-1697 | Server | stored XSS in client settings via application links https://issues.redhat.com/browse/KEYCLOAK-12459 |
| CVE-2019-14888 | Server | possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS |
| CVE-2019-17531 | Server | jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution |
| CVE-2019-16943 | Server | jackson-databind: Serialization gadgets in classes of the p6spy package |
| CVE-2019-16942 | Server | jackson-databind: Serialization gadgets in classes of the commons-dbcp package |
| CVE-2019-14893 | Server | jackson-databind: Serialization gadgets in classes of the xalan package |
| CVE-2019-14892 | Server | jackson-databind: Serialization gadgets in classes of the commons-configuration package |
| CVE-2019-17267 | Server | jackson-databind: Serialization gadgets in classes of the ehcache package |
| CVE-2019-14540 | Server | jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig |
| CVE-2019-16335 | Server | jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource |
| CVE-2019-16869 | Server | netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers |
| CVE-2019-10219 | Server | hibernate-validator: safeHTML validator allows XSS |
| CVE-2019-10174 | Server | infinispan-core: infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods |
| CVE-2019-10173 | Server | xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285) |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-12570 | Openshift Container Catalog | redhat-sso-7-openshift-image needs a cct modules update |
| Content from issues.jboss.org is not included.KEYCLOAK-12518 | Maven Repository | Missing maven dependency keycloak-spring-boot-adapter-core jar in Red Hat Maven Repository |
| Content from issues.jboss.org is not included.KEYCLOAK-12470 | Server | Keycloak server stores SessionId in its logs as well as database. |
| Content from issues.jboss.org is not included.KEYCLOAK-12459 | Server | Stored XSS in Client Settings via Application Links |
| Content from issues.jboss.org is not included.KEYCLOAK-12182 | Protocol - OIDC | Need to change error response from unsupported_response_type to unauthorized_client with response_type=token if the implicit flow is disabled |
| Content from issues.jboss.org is not included.KEYCLOAK-12157 | Authentication, Identity Brokering | Front-channel logout with identity brokering does not work after browser restart |
| Content from issues.jboss.org is not included.KEYCLOAK-11987 | Server, Authentication, Database | Authentication fails if redirect URL is too long with Event logging enabled |
| Content from issues.jboss.org is not included.KEYCLOAK-11981 | User Federation - LDAP | Login fails if federated user is read-only and has selected a locale on the login screen |
| Content from issues.jboss.org is not included.KEYCLOAK-11768 | Database, User Federation - LDAP | com.microsoft.sqlserver.jdbc.SQLServerException: Violation of UNIQUE KEY constraint 'SIBLING_NAMES' |
| This content is not included.KEYCLOAK-12641 | Server, All Adapters | Applying new Policies for insecure cookies with SameSite=none issued by Keycloak |
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Server, Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
| Content from issues.jboss.org is not included.KEYCLOAK-11560 | Server | Low limit on the length of USER_ENTITY.ID field in the DB schema (50 characters). This might be insufficient in some cases, for example in case of federated users which also contain the prefix of their federated store in their ID. |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.