Red Hat Single Sign-On 7.6 Update 4 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.5. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.5 will continue until RH-SSO 7.6 is released, and at that time maintenance will be delivered on RH-SSO 7.6.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 8. See the JBoss Enterprise Application Platform 7.4 Update 8 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 4
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2022-4361 | Server | keycloak-saml-core: XSS due to lax URI scheme validation |
| CVE-2023-1108 | Server | undertow: Infinite loop in SslConduit during close |
| CVE-2021-39144 | Server | xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.* [ |
| CVE-2023-1664 | Server | keycloak-core: keycloak: Untrusted Certificate Validation |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2088 | Distribution | libunix-dbus-java is missing for rhel8 |
| This content is not included.RHSSO-2464 | Openshift - XPaas | Disable hot-rod model tests profile for RH-SSO 7.6.x |
| This content is not included.RHSSO-2157 | Server | register-node-at-startup in EAP Client Adapter eventually causes "java.lang.OutOfMemoryError: unable to create native thread |
| This content is not included.RHSSO-2520 | Server | MySQL / MariaDB: DELETE user api uses inefficient SQL queries while deleting data from OFFLINE_CLIENT_SESSION |
| This content is not included.RHSSO-2522 | Server | EAP TLS adapters failing on OpenJDK 17 |
| This content is not included.RHSSO-2524 | Server | Resteasy version shipped with RHSSO 7.6.3 is causing OPTIONS request to fail |
| This content is not included.RHSSO-2255 | Server | Ability for users to view credentials without manage user permissions |
| This content is not included.RHSSO-2530 | Server | Paging for "Users in role" is not guaranteed to work with JPA |
| This content is not included.RHSSO-2531 | Server | RH-SSO 7.6.3 operator failing to deploy postgresSQL pod |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.