Red Hat Single Sign-On 7.6 Update 6 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.6. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.6 will continue until RH-SSO 7.6 is end of life.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 13. See the JBoss Enterprise Application Platform 7.4 Update 13 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 6
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2023-0105 | Server | keycloak: impersonation and lockout possible through incorrect handling of email trust |
| CVE-2023-33201 | Server | bouncycastle: potential blind LDAP injection attack using a self-signed certificate |
| CVE-2023-44487 | Server | undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) |
| CVE-2023-44487 | Server | netty-codec-http2: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2073 | Server | Severe Performance degradation with Authorization service scaling |
| This content is not included.RHSSO-2691 | Operator | Limited URL Path Traversals in Openshift Operator |
| This content is not included.RHSSO-2528 | Server, Protocol - OIDC | id_token_hint for external IDP not sent after token expiry RH-SSO 7.6 |
| This content is not included.RHSSO-2543 | Server | Confidential clients created by REST ADMIN API not generating secret |
| This content is not included.RHSSO-2545 | Server | User Info ignores Token Mapper |
| This content is not included.RHSSO-2660 | Server | Data truncation: Data too long for column 'REPRESENTATION' at row 1 |
| This content is not included.RHSSO-2665 | Server | NPE with LDAP login to master realm with plaintext vault provider |
| This content is not included.RHSSO-2716 | Server, Protocol - OIDC | Logout request twice, the logout would fail |
| This content is not included.RHSSO-2724 | Server | The "invalid_grant" error occurs again when loading the offline client session with an early creation time |
| This content is not included.RHSSO-2726 | Server | Resteasy version shipped with RHSSO 7.6.5 is causing OPTIONS request to fail |
| This content is not included.RHSSO-2731 | Server | OIDC User Realm Role Mapper does not handle single value token claim correctly |
| This content is not included.RHSSO-2795 | Operator | The RH-SSO Operator can't connect to a DB if specified as an IP address |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.