Red Hat Single Sign-On 7.4 Update 9 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.4 will continue until RH-SSO 7.5 is released, and at that time maintenance will be delivered on RH-SSO 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
This update includes all fixes and changes from Red Hat Single Sign-On 7.4 Update 8.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 9. See the JBoss Enterprise Application Platform 7.3 Update 9 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 8
Important Notices
Support for Red Hat Single Sign-On (RH-SSO) on Red Hat Enterprise Linux 6 (RHEL 6) is deprecated and the 7.5 release of RH-SSO will not be supported on RHEL 6. RHEL 6 entered the ELS phase of its lifecycle on November 30, 2020 and the Red Hat JBoss Enterprise Application Platform (EAP) that RH-SSO depends upon will drop support for RHEL 6 with the EAP 7.4 release. Customers should deploy their RH-SSO 7.5 upgrades on RHEL 7 or 8 versions.
Installation from an RPM is deprecated. Red Hat Single Sign-On will continue to deliver RPMs for the life of the 7.x product, but will not deliver RPMs with the next major version. The product will continue to support installation from a ZIP file and installation on OpenShift.
Red Hat Single Sign-On has deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next minor release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-3690 | Server | undertow: buffer leak on incoming websocket PONG message may lead to DoS |
| CVE-2021-28170 | Server | jakarta.el: jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate |
| CVE-2021-3644 | Core | wildfly-core: Invalid Sensitivity Classification of Vault Expression |
| CVE-2021-3637 | Server | keycloak-model-infinispan: authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly could lead to a DoS attack |
| CVE-2021-3632 | Server | keycloak: Anyone can register a new device when there is no device registered for passwordless login |
| CVE-2021-3597 | Server | undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS |
| CVE-2020-28491 | Server | jackson-dataformat-cbor: Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception |
| CVE-2021-29425 | Server | commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 |
| CVE-2021-3513 | Server | keycloak: Brute force attack is possible even after the account lockout |
| CVE-2020-35509 | Server | keycloak: X509 Direct Grant Auth does not verify certificate timestamp validity |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-18963 | Authentication | DirectGrant login should fail if authenticationSession contains some required actions |
| This content is not included.KEYCLOAK-18706 | LDAP | UPDATE_PASSWORD does not sync with pwdLastSet |
| This content is not included.KEYCLOAK-18559 | Adapter - JEE SAML | rh-sso-saml-eap7-adapter breaks JBoss EAP 7 'allow-unescaped-characters-in-url' behaviour |
| This content is not included.KEYCLOAK-18896 | Container | Update apiVersion in openshift resources from "v1" to correct value |
Known Issues
This update has the following known issue:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-19236 | Server | Internet explorer shows a design failure when going to Users or User Federation tab |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.