Red Hat Single Sign-On 7.6 Update 2 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.5. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.5 will continue until RH-SSO 7.6 is released, and at that time maintenance will be delivered on RH-SSO 7.6.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 8. See the JBoss Enterprise Application Platform 7.4 Update 8 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 2
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2019-11358 | Server | keycloak-idp-jquery: jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection |
| CVE-2020-11022 | Server | keycloak-idp-jquery: jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method |
| CVE-2020-11023 | Server | keycloak-idp-jquery: jquery: Passing HTML containing |
| CVE-2022-1438 | Server | keycloak-services: keycloak: XSS on impersonation under specific circumstances |
| CVE-2022-24785 | Server | Moment.js: Path traversal in moment.locale |
| CVE-2022-1274 | Server | keycloak: missing email notification template allowlist |
| CVE-2018-14040 | Server | keycloak-theme: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute |
| CVE-2021-44906 | Server | keycloak-theme: minimist: prototype pollution |
| CVE-2022-2237 | Server | Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO |
| CVE-2022-31129 | Server | moment: inefficient parsing algorithm resulting in DoS |
| CVE-2022-2764 | Server | undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations |
| CVE-2022-25857 | Server | snakeyaml: Denial of Service due to missing nested depth limitation for collections |
| CVE-2022-37603 | Server | loader-utils: loader-utils:Regular expression denial of service |
| CVE-2022-4039 | Server | RH-SSO for OpenShift images: rhsso-operator: unsecured management interface exposed to adjecent network |
| CVE-2022-45047 | Server | sshd-common: mina-sshd: Java unsafe deserialization vulnerability |
| CVE-2022-4137 | Server | keycloak-core: keycloak: reflected XSS attack |
| CVE-2022-42004 | Server | jackson-databind: use of deeply nested arrays |
| CVE-2022-42003 | Server | jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS |
| CVE-2022-3782 | Server | keycloak: path traversal via double URL encoding and CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens |
| CVE-2022-3916 | Server | keycloak: Session takeover with OIDC offline refreshtokens |
| CVE-2022-46364 | Server | CXF: Apache CXF: SSRF Vulnerability |
| CVE-2022-46363 | Server | CXF: Apache CXF: directory listing / code exfiltration |
| CVE-2022-40149 | Server | jettison: parser crash by stackoverflow |
| CVE-2022-40150 | Server | jettison: memory exhaustion via user-supplied XML or JSON data |
| CVE-2022-38749 | Server | snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode |
| CVE-2022-38751 | Server | snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match |
| CVE-2018-14042 | Server | rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip |
| CVE-2022-38750 | Server | snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject |
| CVE-2022-45693 | Server | jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos |
| CVE-2023-0091 | Server | keycloak: Client Registration endpoint does not check token revocation |
| CVE-2021-35065 | Server | glob-parent: Regular Expression Denial of Service |
| CVE-2022-46175 | Server | json5: Prototype Pollution in JSON5 via Parse Method |
| CVE-2023-0264 | Server | keycloak-core: keycloak: user impersonation via stolen uuid code |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2299 | Distribution | Setting ENABLE_JSON_LOGGING=true yields "Message: WFLYCTL0073: An element of this type named 'OPENSHIFT' has\n |
| This content is not included.RHSSO-1953 | Openshift - XPaas | RH-SSO server can't be configured using the CONFIG_ADJUSTMENT_MODE=cli mode. Despite the CLI scripts are generated, they aren't executed |
| This content is not included.RHSSO-2153 | Server | User session limit refers to "Post Broker Login Flow" which is incorrect terminology |
| This content is not included.RHSSO-2214 | Server | RH SSO Operator End Point for Database external to Openshift |
| This content is not included.RHSSO-2246 | Server | RH-SSO operator documentation indicates SSL_MODE instead of SSLMODE |
| This content is not included.RHSSO-2254 | Server | CPU and Memory Limits in the RH SSO Operator are not applied to the init container |
| This content is not included.RHSSO-2255 | Server | Update description of "experimental" field in Keycloak CRD |
| This content is not included.RHSSO-2257 | Server | Operator docs falsely implies that password in User CR is NOT reconciled |
| This content is not included.RHSSO-2297 | Server | Dropdowns not populating on client permissions screen console |
| This content is not included.RHSSO-2309 | Server | RH-SSO 7.6 welcome/login screen background |
| This content is not included.RHSSO-2315 | Server | Improve Realm Key rotation documentation |
| This content is not included.RHSSO-2320 | Server | Release nodejs and JS adapters as npm packages |
| This content is not included.RHSSO-2323 | Server | Performance issues while loading millions of user consents |
| This content is not included.RHSSO-2329 | Server | Upgrade Liquibase to 4.16.1 |
| This content is not included.RHSSO-2330 | Server | Wrong auth session id being used when validating auth session id cookies |
| This content is not included.RHSSO-2350 | Server | OIDC Logout does not work with HTTP Servlets and JBoss EAP 7 |
| This content is not included.RHSSO-2351 | Server | OIDC Logout does not work with HTTPS Servlets and JBoss EAP 7 |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.