Red Hat Single Sign-On 7.3 Update 7 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.3 will continue until RH-SSO 7.4 is released, and at that time maintenance will be delivered on RH-SSO 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 6.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 6. See the JBoss Enterprise Application Platform 7.2 Update 6 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 7
Note: An additional security errata / update that must be applied to resolve another security issue. Download This content is not included.CVE-2020-1745 undertow: AJP File Read/Inclusion Vulnerability.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-1744 | Server | failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP |
| CVE-2020-7238 | Dependencies - Container, RH-SSO | netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling |
| CVE-2020-20444 | Dependencies - Container, RH-SSO | netty: HTTP request smuggling |
| CVE-2020-20445 | Dependencies - Container, RH-SSO | netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header |
| This content is not included.CVE-2020-20330 | Dependencies - Container, RH-SSO | jackson-databind: lacks certain net.sf.ehcache blocking |
| CVE-2019-14885 | Dependencies - Container, RH-SSO | jboss-cli: JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command |
| CVE-2019-14887 | Dependencies - Container, RH-SSO | wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use |
| CVE-2019-10086 | Dependencies - Container, RH-SSO | commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default |
| CVE-2019-12400 | Dependencies - Container, RH-SSO | xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source |
| CVE-2019-0205 | Dependencies - Container, RH-SSO | libthrift: thrift: Endless loop when feed with specific input data |
| CVE-2019-0210 | Dependencies - Container, RH-SSO | libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol |
In addition, there is an This content is not included.additional update available that resolves an additional vulnerability. This change should also be applied:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-1745 | Server | undertow: AJP File Read/Inclusion Vulnerability |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-13103 | Admin - Console | Management Console black screen - Syntax Error in polyfill.min.js with IE 11 |
| Content from issues.jboss.org is not included.KEYCLOAK-13059 | Protocol - OIDC | LogoutEndpoint does not verify token type of id_token_hint |
| Content from issues.jboss.org is not included.KEYCLOAK-13043 | Admin - Console, Database | unique constraint (IDPDEV.CONSTRAINT_AUTH_CFG_PK) violated updating to empty string of "X509/Validate Username" execution in authentication flow |
| Content from issues.jboss.org is not included.KEYCLOAK-12920 | Containers - RH-SSO | Increase the "timeoutSeconds" and "initialDelaySeconds" to overcome issue starting PostgreSQL Openshift container images |
| Content from issues.jboss.org is not included.KEYCLOAK-12905 | Containers - RH-SSO | deployment fails when using sso73-x509-postgresql-persistent on OCP4.2 |
| Content from issues.jboss.org is not included.KEYCLOAK-12756 | Adapter - Java | Adapter rejects tokens when issuedAt time is same as NotBefore |
| Content from issues.jboss.org is not included.KEYCLOAK-12699 | Containers - RH-SSO | Keycloak image generates empty keystore on empty /etc/x509/https directory |
| Content from issues.jboss.org is not included.KEYCLOAK-12671 | Authentication, Identity Brokering | Passing email in login_hint query parameter during Identity brokering fails when an account already exists |
| Content from issues.jboss.org is not included.KEYCLOAK-12618 | Protocol - SAML | SAML AuthnStatement SessionNotOnOrAfter is incorrect/expired |
| Content from issues.jboss.org is not included.KEYCLOAK-12588 | Server | The cacheTemplates attribute has no effect |
| Content from issues.jboss.org is not included.KEYCLOAK-12618 | Protocol - SAML | Nodejs connect tests are not runnable with 7.3.6 because of wrong base-url in testing realm |
| Content from issues.jboss.org is not included.KEYCLOAK-12618 | Protocol - SAML | Nodejs connect tests are not runnable with 7.3.6 because of wrong base-url in testing realm |
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Server, Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
| Content from issues.jboss.org is not included.KEYCLOAK-11560 | Server | Low limit on the length of USER_ENTITY.ID field in the DB schema (50 characters). This might be insufficient in some cases, for example in case of federated users which also contain the prefix of their federated store in their ID. |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.