Red Hat Single Sign-On 7.4 Update 7 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
This update includes all fixes and changes from Red Hat Single Sign-On 7.4 Update 6.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 7. See the JBoss Enterprise Application Platform 7.3 Update 7 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 7
Important Notices
Installation from an RPM is deprecated. Red Hat Single Sign-On will continue to deliver RPMs for the life of the 7.x product, but will not deliver RPMs with the next major version. The product will continue to support installation from a ZIP file and installation on OpenShift.
Red Hat Single Sign-On has deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next minor release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-3461 | Server | keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP |
| CVE-2021-21295 | Server | netty: possible request smuggling in HTTP/2 due missing validation |
| CVE-2021-3424 | Server | keycloak: Internationalized domain name (IDN) homograph attack to impersonate users |
| CVE-2020-13949 | RH-SSO | libthrift: potential DoS when processing untrusted payloads |
| CVE-2021-21290 | RH-SSO | netty: Information disclosure via the local system temporary directory |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-17829 | Server | Unnessary calls to session.users().getUserById in DefaultBruteForceProtector |
| This content is not included.KEYCLOAK-17847 | Authorization Services | Protection API resource_set endpoint does not matches nested path routes |
| This content is not included.KEYCLOAK-17665 | Adapter - Spring | Forwarded Query Parameters don't work |
| This content is not included.KEYCLOAK-17833 | Container - Operator | keycloak init image does not pick package updates while respin |
| This content is not included.KEYCLOAK-17736 | Authentication | Failed to make identity provider oauth callback: javax.net.ssl.SSLException: Connection reset |
| This content is not included.KEYCLOAK-15440 | Authentication | Password Form not working with ldap credential store |
| This content is not included.KEYCLOAK-17747 | Server, REST Admin API | Timeouts with large amounts of clients |
| This content is not included.KEYCLOAK-14846 | Storage | Default roles processing is really slow with a large number of clients |
| This content is not included.KEYCLOAK-17648 | Container | Make transaction timeout configurable |
| This content is not included.KEYCLOAK-17645 | RH-SSO | Incorrect resource match is returned for some cases when using wildcard in uri |
| This content is not included.KEYCLOAK-17644 | Container - Operator | Operator is not picking the right RH-SSO image on different archs than amd64 |
| This content is not included.KEYCLOAK-17532 | Container - Operator | Permission issues with 7.4.6-rhsso-operator |
| This content is not included.KEYCLOAK-17405 | Authentication | Session auth time updated when user has not re-authenticated |
| This content is not included.KEYCLOAK-14961 | SAML | SAML Identity Provider - Add ability to request specific AuthnContexts |
| This content is not included.KEYCLOAK-17084 | Admin - REST API | Support querying clients by client attributes |
| This content is not included.KEYCLOAK-16592 | SAML | accept SAML request without Destination from ECP |
| This content is not included.KEYCLOAK-17256 | Admin - REST API | Keycloak is vulnerable to IDN homograph attack (see CVE-2021-3424) |
| This content is not included.KEYCLOAK-16800 | Server | userinfo fails with 500 Internal Server Error for service account token |
| This content is not included.KEYCLOAK-17454 | Storage | Slowness issue while hitting /auth/admin/realms/$REALM/clients?viewableOnly=true after DELETE a role |
| This content is not included.KEYCLOAK-14913 | Server | GitLab Identity Provider shouldn't request for 'api' scope |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.