Red Hat Single Sign-On 7.3 Update 8 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.3. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Future maintenance releases for Red Hat Single Sign-On 7 product will continue on Hat Single Sign-On 7.4.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see:
Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.3 Update 7.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.2 Update 8. See the JBoss Enterprise Application Platform 7.2 Update 8 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.3 Update 8
The Openshift Container Platform container image for Red Hat Single Sign-On 7.3 has been deprecated. To find the 7.3 container image in the Red Hat Container Catalog please check the Include Deprecated checkbox when searching for images or This content is not included.the Red Hat Single Sign-On 7.3 image is located here.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-1718 | Server | security issue on reset credential flow |
| CVE-2020-1758 | Server | improper verification of certificate with host mismatch could result in information disclosure |
| CVE-2020-1724 | Server | problem with privacy after user logout |
| CVE-2020-7226 | Server | cryptacular: excessive memory allocation during a decode operation |
| CVE-2019-10174 | Server | infinispan: invokeAccessibly method from ReflectionUtil |
| CVE-2018-14371 | Server | mojarra: Path traversal in ResourceManager.java:getLocalePrefix |
| CVE-2020-1757 | Server | undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass |
| CVE-2020-1719 | Server | wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain |
| CVE-2019-17573 | Server | cxf-core: cxf: reflected XSS in the services listing page |
| CVE-2020-1695 | Server | resteasy-jaxrs: resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class |
| CVE-2019-14900 | Server | hibernate-core: hibernate: SQL injection issue in Hibernate ORM |
| CVE-2019-10172 | Server | jackson-mapper-asl: XML external entity similar to CVE-2016-3720 |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-13058 | Adapter - Node.js | Add verify-token-audience support in the NodeJS adapter |
| Content from issues.jboss.org is not included.KEYCLOAK-13574 | Containers | Missing Jolokia content under /opt/jboss/container/jolokia |
| Content from issues.jboss.org is not included.KEYCLOAK-13258 | Server | "You took too long to login" after first login request after SSO session idle occurs |
Known Issues
The following are new known issues for this release. For additional known issues present see Red Hat Single Sign-On 7.3 Release Notes.
| ID | Component | Summary |
|---|---|---|
| Content from issues.jboss.org is not included.KEYCLOAK-10260 | Server, Installation (Zip only) | Linux patch failure due to incorrect permissions. To fix this issue, go to the rh-sso-7.3 directory and issue this command: chmod 775 .installation |
| Content from issues.jboss.org is not included.KEYCLOAK-11560 | Server | Low limit on the length of USER_ENTITY.ID field in the DB schema (50 characters). This might be insufficient in some cases, for example in case of federated users which also contain the prefix of their federated store in their ID. |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.