Red Hat Single Sign-On 7.4 Update 10 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.4. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Future maintenance releases for Red Hat Single Sign-On 7 product will continue on Hat Single Sign-On 7.5.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
This update includes all fixes and changes from Red Hat Single Sign-On 7.4 Update 9.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.3 Update 9. See the JBoss Enterprise Application Platform 7.3 Update 9 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.4 Update 10
Important Notices
Support for Red Hat Single Sign-On (RH-SSO) on Red Hat Enterprise Linux 6 (RHEL 6) is deprecated and the 7.5 release of RH-SSO will not be supported on RHEL 6. RHEL 6 entered the ELS phase of its lifecycle on November 30, 2020 and the Red Hat JBoss Enterprise Application Platform (EAP) that RH-SSO depends upon will drop support for RHEL 6 with the EAP 7.4 release. Customers should deploy their RH-SSO 7.5 upgrades on RHEL 7 or 8 versions.
Installation from an RPM is deprecated. Red Hat Single Sign-On will continue to deliver RPMs for the life of the 7.x product, but will not deliver RPMs with the next major version. The product will continue to support installation from a ZIP file and installation on OpenShift.
Red Hat Single Sign-On has deprecated Internet Explorer testing as a tested integration. Testing for Internet Explorer will be discontinued and replaced with Microsoft Edge in the next minor release.
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-40690 | Server | xmlsec: xml-security: XPath Transform abuse allows for information disclosure |
| CVE-2021-37714 | Server | jsoup: Crafted input may cause the jsoup HTML and XML parser to get stuck |
| CVE-2021-3642 | Server | wildfly-elytron: possible timing attack in ScramServer |
| CVE-2021-3717 | Server | wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users |
| CVE-2021-20289 | Server | resteasy-jaxrs: resteasy: Error message exposes endpoint class information |
| CVE-2021-3629 | Server | undertow: potential security issue in flow control over HTTP/2 may lead to DOS |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-19277 | Container | Segmentation error for RH-SSO 7.4.9 OpenJ9 OpenShift image |
| This content is not included.KEYCLOAK-19259 | LDAP | Unable to fetch list of members from a group through keycloak admin console. |
| This content is not included.KEYCLOAK-19236 | Admin Console | Internet explorer shows a design failure when going to Users or User Federation tab |
| This content is not included.KEYCLOAK-18357 | Container | No longer able to access to OCP/RH-SSO infinispan metrics with RH-SSO 7.4.7 |
| This content is not included.KEYCLOAK-15216 | Authentication | Usernames allow characters which can break cookies |
| This content is not included.KEYCLOAK-13987 | Storage | Database Migration to >=9.0.1 fails on MySQL |
Known Issues
This update has the following known issue:
| ID | Component | Summary |
|---|---|---|
| This content is not included.KEYCLOAK-19236 | Server | Internet explorer shows a design failure when going to Users or User Federation tab |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.4 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.