Red Hat Single Sign-On 7.6 Update 3 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.6. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.6 will continue until RH-SSO 7 reaches end of maintenance support phase.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
This update includes all fixes and changes from Red Hat Single Sign-On 7.6 Update 2.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 8. See the JBoss Enterprise Application Platform 7.4 Update 8 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 3
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2022-4492 | Server | undertow: Server identity in https connection is not checked by the undertow client |
| CVE-2022-41881 | Server | codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS |
| CVE-2022-41854 | Server | dev-java-snakeyaml: dev-java/snakeyaml: DoS via stack overflow |
| CVE-2021-0341 | Server | okhttp: information disclosure via improperly used cryptographic function |
| CVE-2022-38752 | Server | snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode |
| CVE-2023-0482 | Server | RESTEasy: creation of insecure temp files |
| CVE-2022-45787 | Server | apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-1883 | OpenShift - xPaaS | RH-SSO pod should wait until PostGreSQL database is UP |
| This content is not included.RHSSO-2252 | Server | Backport "UI Policies search is broken" to rh-sso 7.6.3 |
| This content is not included.RHSSO-2312 | Documentation | Shared command to sign CSR does not work in RH-SSO Openshift documentation |
| This content is not included.RHSSO-2313 | OpenShift - xPaaS | RH-SSO pod crashes when adding SSO_HOSTNAME environment variable |
| This content is not included.RHSSO-2316 | Server | Reuse of TOTP is possible |
| This content is not included.RHSSO-2346 | OpenShift - xPaaS | RH-SSO 7.6.X container image fails to start in dual-stack enabled OpenShift cluster in the default setup |
| This content is not included.RHSSO-2347 | OpenShift - xPaaS | Fail to form a JGroups cluster on dual-stack enabled OpenShift cluster |
| This content is not included.RHSSO-2362 | Server | When hitting the account client with the referrer parameter ,the AccountConsole doesn't support the relative Client URLs |
| This content is not included.RHSSO-2428 | Server | Offline client sessions is not loaded from database, if unavailable in cache |
| This content is not included.RHSSO-2434 | Server | Backport Scope entries added to resource (authorization tab of client) are displayed as "undefined" once saved |
| This content is not included.RHSSO-2435 | Server | /users/count endpoint with search field has different behavior than /users query endpoint |
| This content is not included.RHSSO-2437 | Server | SQLGrammarException would occur if a user doesn't belong to any groups |
| This content is not included.RHSSO-2439 | Server | Token contains old DB values with "Always Read Value From LDAP" mapper setting |
| This content is not included.RHSSO-2448 | Server | Ability for users to view credentials without manage user permissions |
| This content is not included.RHSSO- | Adapter | RH-SSO with EAP 7.4.9 adapter tests fail with Elytron security context load issue |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.