Red Hat Single Sign-On 7.4 Update 2 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 2. See the JBoss Enterprise Application Platform 7.3 Update 2 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 2
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-10758 This content is not included.KEYCLOAK-14363 | Server | DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body |
| CVE-2020-1728 This content is not included.KEYCLOAK-13294 | Server | security headers missing on REST endpoints |
| CVE-2020-14307 | Server | jboss-ejb-client: wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service |
| CVE-2020-10740 | Server | wildfly: unsafe deserialization in Wildfly Enterprise Java Beans |
| CVE-2020-10718 | Server | wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API |
| CVE-2020-10693 | Server | hibernate-validator: Improper input validation in the interpolation of constraint error messages |
| CVE-2020-10687 | Server | wildfly-undertow: Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests |
| CVE-2020-10714 | Server | wildfly-elytron: session fixation when using FORM authentication |
| CVE-2020-11612 | Server | netty: compression/decompression codecs don't enforce limits on buffer allocation sizes |
| CVE-2020-10673 | Server | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-10672 | Server | jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution |
| CVE-2020-1710 | Server | undertow: EAP: field-name is not parsed in accordance to RFC7230 |
| CVE-2020-1748 | Server | wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain |
| CVE-2020-10683 | Server | dom4j: XML External Entity vulnerability in default SAX parser |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-15082 | Openshift Operator | Keycloak operator contains wrong RHSSO init container image address |
| This content is not included.KEYCLOAK-15080 | Openshift Operator | Update RHSSO ImagePullPolicy to 'Always' to expedite CVE updates |
| This content is not included.KEYCLOAK-14900 | Admin - CLI, Admin - REST API | Adding a role to a composite role does not work with kcadm |
| This content is not included.KEYCLOAK-14849 | Core | StaxParserUtil is vulnerable to SSRF with XML Input |
| This content is not included.KEYCLOAK-14654 | Identity Brokering | Instagram User Endpoint change |
| This content is not included.KEYCLOAK-14488 | Protocol - OIDC | Missing Referrer Policy + image injection on login screen lead to sensitive information disclosure |
| This content is not included.KEYCLOAK-14381 | Containers - RH-SSO | JAVA_MAX_MEM_RATIO not applied |
| This content is not included.KEYCLOAK-13885 | Admin - CLI | kcadm.sh can not affect role to composite role anymore if role contains U |
| This content is not included.KEYCLOAK-13880 | Account Management - Console | Internal query params are not removed after redirect from AIAs |
| This content is not included.KEYCLOAK-12108 | Containers - RH-SSO, Themes | Ability to set a global default theme and a custom welcome theme via environment variables on the RH-SSO Openshift image |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.3 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.