Red Hat Single Sign-On 7.5 Update 3 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.5. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.5 will continue until RH-SSO 7.6 is released, and at that time maintenance will be delivered on RH-SSO 7.6.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 3 and Update 4. See the JBoss Enterprise Application Platform 7.4 Update 3 Release Notes and JBoss Enterprise Application Platform 7.4 Update 4 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.5 Update 2
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2021-43797 | Server | netty: control chars in header names may lead to HTTP request smuggling |
| CVE-2021-42392 | Server | h2: Remote Code Execution in Console |
| CVE-2020-36518 | Server | jackson-databind: denial of service via a large depth of nested objects |
| CVE-2022-0084 | Server | xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr |
| CVE-2022-0866 | Server | wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled |
| CVE-2022-2668 | Server | keycloak-saml-core: keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console |
| CVE-2022-2256 | Server | keycloak-core: keycloak: improper input validation permits script injection |
| CVE-2022-0225 | Server | keycloak: Stored XSS in groups dropdown |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2017 | OpenShift - xPaaS | Escape all XML special characters |
| This content is not included.RHSSO-1861 | RPM Distribution | RH-SSO-7.5.1 and EAP-7.4.2 can't be installed on the same machine |
| This content is not included.RHSSO-1912 | Server | NullPointerException in LDAPStorageProvider |
| This content is not included.RHSSO-1930 | Server | Incorrect username logged for federated accounts |
| This content is not included.RHSSO-1937 | Server | Expired cache objects in infinispan cache are never garbage collected in standalone configuration |
| This content is not included.RHSSO-2076 | Documentation | Document that 7.6 Operator is compatible with 7.5 Keycloak |
| This content is not included.RHSSO-2159 | Server | LDAP connection timeout is treated as login failure and brute force locking the user |
| This content is not included.RHSSO-2175 | Server | LDAPOperationManager.getFilterById is causing additional call to AD |
| This content is not included.RHSSO-2180 | OpenShift - xPaaS | Use explicit URLs for txn-recovery-marker-jdbc-common and txn-recovery-marker-jdbc-hibernate5 artifacts |
Known Issues
This update has the following known issue:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2238 | OpenShift Container | Using ENABLE_ACCESS_LOG=true env var makes the resulting "standalone-openshift.xml" config file not to be well-formed |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.5 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.