Red Hat Single Sign-On 7.4 Update 4 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 4. See the JBoss Enterprise Application Platform 7.3 Update 4 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 4
Important Notices
Red Hat Single Sign-On is deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-27826 This content is not included.KEYCLOAK-16492 | Server, Account - REST API | Account REST API can update user metadata attributes |
| CVE-2020-25649 | Server | jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity |
| CVE-2020-25638 | Server | hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used |
| CVE-2020-13822 | Adapter - Node.js | Lack of encoding checks in ECDSA verification functionality in npm elliptic package, used by keycloak-node-connect |
| CVE-2020-10695 | Server | redhat-sso-7-openshift-containers: containers/redhat-sso-7: /etc/passwd is given incorrect privileges |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-16596 | Container - Operator | Resynchronize CRDs |
| This content is not included.KEYCLOAK-16324 | Container - Operator | Support Resources & Limits via CR |
| This content is not included.KEYCLOAK-16314 | Container - Operator | remove python packages uninstall code from init-container Dockerfile |
| This content is not included.KEYCLOAK-16125 | Container - Operator | OLM installation fails because of incorrect CatalogSource for RHSSO subscription |
| This content is not included.KEYCLOAK-15294 | Container - Operator | Hardcoded service account name with Red Hat Single Sign On operator 7.4.1 |
| This content is not included.KEYCLOAK-16020 | Container - Operator | Backport of custom operator configuration improvements: KEYCLOAK-14782, KEYCLOAK-14470, KEYCLOAK-12677 |
| This content is not included.KEYCLOAK-16402 | OIDC | Allow any port with http://127.0.0.1 redirect uri |
| This content is not included.KEYCLOAK-16328 | Adapter - JavaScript | KeycloakJS breaks for extensions that send messages to new windows |
| This content is not included.KEYCLOAK-16206 | Server | New Feature: OAuth 2.0 Token Revocation (RFC 7009) |
| This content is not included.KEYCLOAK-16178 | Server | Client Credentials Grant no longer generated with refresh token by default. See Upgrading Guide for details. |
| This content is not included.KEYCLOAK-16172 | Server | Skip creating session for docker protocol authentication |
| This content is not included.KEYCLOAK-16162 | Adapter - JEE, OIDC | IDToken not refreshed when token gets refreshed in OIDC Adapter |
| This content is not included.KEYCLOAK-16062 | Adapter - JEE | PathMatcher buildUriFromTemplate throws unexpected ArrayIndexOutOfBoundException |
| This content is not included.KEYCLOAK-16029 | Server | Wrong parsing of Cookie HTTP header |
| This content is not included.KEYCLOAK-16028 | Adapter - Spring | Error in application logs when refresh token is expired. |
| This content is not included.KEYCLOAK-16005 | SAML | SAML Identity Broker - Make Entity ID configurable |
| This content is not included.KEYCLOAK-15859 | Adapter - Node.js | Node.js Middleware: Cookie token store is broken |
| This content is not included.KEYCLOAK-15464 | Container, Server | 404 Not found *.less files on IE 11 |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.