Red Hat Single Sign-On 7.4 Update 1 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 1. See the JBoss Enterprise Application Platform 7.3 Update 1 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 1
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-11023 | Server | js-jquery: jQuery: passing HTML containing |
| CVE-2020-10748 | Server | top-level navigations to data URLs resulting in XSS are possible |
| CVE-2020-10719 | Server | undertow: invalid HTTP request with large chunk size |
| CVE-2020-9548 | Dependencies - Container, RH-SSO | jackson-databind: Serialization gadgets in anteros-core |
| CVE-2020-9547 | Dependencies - Container, RH-SSO | jackson-databind: Serialization gadgets in ibatis-sqlmap |
| CVE-2020-9546 | Dependencies - Container, RH-SSO | jackson-databind: Serialization gadgets in shaded-hikari-config |
| CVE-2020-8840 | Dependencies - Container, RH-SSO | jackson-databind: Lacks certain xbean-reflect/JNDI blocking |
| CVE-2020-1714 | RH-SSO | Lack of checks in ObjectInputStream leading to Remote Code Execution |
| CVE-2020-1694 | Adapter - Node.js | verify-token-audience support is missing in the NodeJS adapter |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-14411 | Openshift Operator | Unable to remove keycloak CRs during uninstallation |
| This content is not included.KEYCLOAK-14353 | Server | JavaScript injection vulnerability of User registration REST API |
| This content is not included.KEYCLOAK-14271 | Server | Re-allow special characters for Roles |
| This content is not included.KEYCLOAK-14215 | Server | top-level navigations to data URLs resulting in XSS are possible |
| This content is not included.KEYCLOAK-14131 | Server, Themes | Cant create client role with configure permission |
| This content is not included.KEYCLOAK-14080 | Admin - Console | "Resource not found" error thrown when trying to create a policy |
| This content is not included.KEYCLOAK-14056 | Admin - Console, Client Registration | 500 server error when attempting to create an authorization scope for a confidential client |
| This content is not included.KEYCLOAK-14030 | Admin - Console | Missing RHSSO 7.4 version in MigrationModelManager |
| This content is not included.KEYCLOAK-13990 | Admin - Console | fields using kc-password directives are in plain-text |
| This content is not included.KEYCLOAK-13987 | Server | Database Migration to >=9.0.1 fails on MySQL ??? |
| This content is not included.KEYCLOAK-13917 | Containers | JAVA_OPTS_APPEND is not taken into consideration in sso74-openshift-rhel8 image |
| This content is not included.KEYCLOAK-13901 | Admin - Console | Cannot create mappers which require certain characters like $ |
| This content is not included.KEYCLOAK-13898 | Admin - Console | Can't add user in admin console when 'Email as username' is enabled |
| This content is not included.KEYCLOAK-13897 | Admin - Console, Fine Grained Permissions | Client pagination with reduced permissions results in an empty response |
| This content is not included.KEYCLOAK-13896 | New Feature, Adapter - Javascript | Add support for Application Initiated Actions to keycloak.js |
| This content is not included.KEYCLOAK-13894 | Identity Brokering | Better message when saving a provider with invalid URLs |
| This content is not included.KEYCLOAK-13893 | Server | NPE when removing credentials and user cache is disabled |
| This content is not included.KEYCLOAK-13892 | Admin - REST API, Database | Possible Id-replacement issues in the admin REST API and model API |
| This content is not included.KEYCLOAK-13891 | Import/Export | NPE importing realm if authenticatorConfig has null alias |
| This content is not included.KEYCLOAK-13890 | Core | Keycloak does not perform TLS hostname verification when sending emails via an SMTP server |
| This content is not included.KEYCLOAK-13888 | Import/Export | NullPointerException on boot of RHSSO 7.4 or Keycloak 9.0.0 on former Keycloak 8.0.1 installation |
| This content is not included.KEYCLOAK-13887 | Adapter - Java Adapters | refresh token conflicts when "Revoke Refresh Token" is ON |
| This content is not included.KEYCLOAK-13884 | Admin - Console, Protocol - SAML | SAML client config: cannot remove fine grain configuration |
| This content is not included.KEYCLOAK-13882 | User Federation - LDAP | "LOAD_ROLES_BY_MEMBER_ATTRIBUTE_RECURSIVELY" user roles retrieve strategy role-ldap-mapper option should only be displayed if LDAP provider vendor is Active Directory |
| This content is not included.KEYCLOAK-13881 | Protocol - SAML | Unsigned SAML logout request throwing invalid_logout_request error |
| This content is not included.KEYCLOAK-13879 | Adapter - Java - WildFly | CORS with OIDC requests fails when using elytron adapter |
| This content is not included.KEYCLOAK-13874 | Adapter - Java - WildFly, Protocol - SAML | Keycloak Clustered SSO NPE |
| This content is not included.KEYCLOAK-13871 | Identity Brokering | IDP review profile allows empty username |
| This content is not included.KEYCLOAK-13870 | User Federation - LDAP | Inconsistency when using "forgot password" after changing email in LDAP |
| This content is not included.KEYCLOAK-13868 | Protocol - SAML | Undeclared namespace "ec" while deserializing SAML |
| This content is not included.KEYCLOAK-13867 | Identity Brokering | Deleting an Identity Provider doesn't remove the associated IdP Mapper for that user |
| This content is not included.KEYCLOAK-13866 | Adapter - Node.js | Add verify-token-audience support in the NodeJS adapter |
| This content is not included.KEYCLOAK-13865 | Core | Usage of ObjectInputStream without checking the object types |
| This content is not included.KEYCLOAK-13864 | Admin - Console, Authorization Services | Authorization Scope modified improperly when updating Resource |
| This content is not included.KEYCLOAK-13863 | Authentication | Disabling logged in user will not allow other user to login after he is thrown out of his session |
| This content is not included.KEYCLOAK-13862 | Authentication | Login after registration fails when other user was logged in before |
| This content is not included.KEYCLOAK-13861 | User Federation | NPE in KeycloakModelUtils.resolveAttribute |
| This content is not included.KEYCLOAK-13860 | Identity Brokering | Match subject when validating id_token returned from external OP |
| This content is not included.KEYCLOAK-13702 | Distribution - Maven | Update 3rd party deps versions automatically in maven repository |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.