Red Hat Single Sign-On 7.4 Update 3 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 3. See the JBoss Enterprise Application Platform 7.3 Update 3 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 3
Important Notices
Microsoft has ended Content from www.microsoft.com is not included.support for Internet Explorer. Red Hat Single Sign-On has also deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next release.
An additional zero-day issue was identified and resolved with a patch. Download and apply the security advisory for This content is not included.CVE-2020-25644 here
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-14389 This content is not included.KEYCLOAK-15295 | Server | keycloak: user can manage resources with just "view-profile" role using new Account Console |
| CVE-2020-10776 | Server | keycloak: OIDC redirect_uri allows dangerous schemes resulting in potential XSS |
| CVE-2020-14340 | Server | xnio: file descriptor leak caused by growing amounts of NIO Selector file handles may lead to DoS |
| CVE-2020-14338 | Server | kxercesimpl: wildfly: XML validation manipulation due to incomplete application of use-grammar-pool-only in xercesImpl |
| CVE-2020-1954 | Server | cxf-core: cxf: JMX integration is vulnerable to a MITM attack |
| CVE-2020-14299 | Server | picketbox: JBoss EAP reload to admin-only mode allows authentication bypass |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-15741 | SAML Adapter - JEE | Refresh SAML adapter session cache after node restart to avoid 'Session xxxxx has expired on some other node' |
| This content is not included.KEYCLOAK-15723 | Adapter - JavaScript | KeycloakPromise sometimes doesn't work |
| This content is not included.KEYCLOAK-15274 | Server | Server error during account updates |
| This content is not included.KEYCLOAK-15714 | Containers - Operator | Operator unit tests: dependency failure |
| This content is not included.KEYCLOAK-15611 | Protocol - OIDC | The userinfo endpoint ignores mappers on "sub" claim |
| This content is not included.KEYCLOAK-15589 | Adapter - JavaScript | Javascript adapter init() is throwing a promise error |
| This content is not included.KEYCLOAK-15502 | Adapter - Java - WildFly | Provide a Galleon feature pack for client side adaptors in WildFly |
| This content is not included.KEYCLOAK-15453 | Protocol - SAML | SAML brokering with POST binding is broken by new SameSite policies |
| This content is not included.KEYCLOAK-15413 | User Federation - LDAP | Allow Usernames case sensitive when syncing users from LDAP |
| This content is not included.KEYCLOAK-15374 | Authorization Services | Authorization context not always considering scope when checking permission |
| This content is not included.KEYCLOAK-15232 | Server | Brute force detections doesn't reset on succesful Resource Owner Grant Type authentication |
| This content is not included.KEYCLOAK-15225 | Authentication, Token Exchange | authentication fails with federated user if "Consent required" is on |
| This content is not included.KEYCLOAK-15215 | Container - Operator | Fix panic when picking up Power PC architecture |
| This content is not included.KEYCLOAK-15193 | Container - Operator | Confidential Clients can't be created with YAML |
| This content is not included.KEYCLOAK-15181 | Container - Operator | Wrong PVC mount point for Postgresql pod using Red Hat Single Sign-On Operator 7.4.1 on OpenShift |
| This content is not included.KEYCLOAK-14759 | Distribution - WildFly | RuntimeExceptions thrown during factory initialization do not print full stack trace |
| This content is not included.KEYCLOAK-15405 | Distribution - RPM | rh-sso7-libunix-dbus-java rpm missing |
| This content is not included.KEYCLOAK-15597 | Identity Brokering | Identity Provider SAML Error eventype missing |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.