Red Hat Single Sign-On 7.4 Update 6 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 6. See the JBoss Enterprise Application Platform 7.3 Update 6 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 6
Important Notices
Red Hat Single Sign-On is deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2020-7676 | NodeJS Adapter | angular: nodejs-angular: XSS due to regex-based HTML replacement |
| CVE-2020-14302 | Server | keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks |
| CVE-2021-20250 | Server | jboss-ejb-client: wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client |
| CVE-2021-20220 | Server | wildfly-undertow: undertow: Possible regression in fix for CVE-2020-10687 |
| CVE-2020-28052 | Server | bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible |
| CVE-2020-35510 | Server | jboss-remoting: Threads hold up forever in the EJB server by suppressing the ack from an EJB client |
| CVE-2020-8908 | Server | guava: local information disclosure via temporary directory created with unsafe permissions |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-17249 | Container - Operator | The RHSSO metrics endpoint is exposed to the outside world - OCP Route |
| This content is not included.KEYCLOAK-17207 | Server, Admin - REST API | Avoid removing attributes when updating user and profile |
| This content is not included.KEYCLOAK-17151 | Admin - REST API | REST API call PUT /{realm}/users/{id} rejects selective/partial user representation updates |
| This content is not included.KEYCLOAK-17150 | Account - REST API | Updating user account removes attributes |
| This content is not included.KEYCLOAK-17130 | Account - Console | User attributes are lost after user updates account with Account Management Console |
| This content is not included.KEYCLOAK-16940 | Authorization Services | Authz client still relying on refresh tokens when doing client credentials |
| This content is not included.KEYCLOAK-16736 | Container | WORKDIR is missed in the latest rh-sso-7/sso74-openshift-rhel8 container |
| This content is not included.KEYCLOAK-16618 | Container - Operator | Support StorageClass for Postgres DB via CR |
| This content is not included.KEYCLOAK-16599 | Container - Operator, RH-SSO | Regenerate CRDs as part of the build pipeline |
| This content is not included.KEYCLOAK-15239 | Authentication, RH-SSO | Reset Password Success Message not shown when Kerberos is Enabled |
| This content is not included.KEYCLOAK-17332 | Adapter - Spring | Upgrade Spring Boot 2.3 and Jetty 9.4 |
| This content is not included.KEYCLOAK-17271 | Container - Operator | Restructure the monitoring stack |
| This content is not included.KEYCLOAK-17246 | Container - Operator | Use at least two owners for caches in RHSSO image - operator change |
| This content is not included.KEYCLOAK-17220 | Container - Operator | Add anti-affinity settings to Keycloak Pods |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.