Red Hat Single Sign-On 7.6 Update 7 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.6. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.6 will continue until RH-SSO 7.6 is end of life.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 15. See the JBoss Enterprise Application Platform 7.4 Update 15 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 7
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Summary |
|---|---|
| CVE-2023-2976 | guava: insecure temporary directory creation |
| CVE-2023-6134 | keycloak-core: keycloak: reflected XSS via wildcard in OIDC redirect_uri |
| CVE-2023-6291 | keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts |
| CVE-2023-6484 | keycloak: Log Injection during WebAuthn authentication or registration |
| CVE-2023-6927 | keycloak-core: open redirect via "form_post.jwt" JARM response mode |
| CVE-2023-26048 | jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter() |
| CVE-2023-26049 | jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies |
| CVE-2023-44483 | santuario: Private Key disclosure in debug-log output |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2688 | Console | ProdSec PT: RHSSO: User Federation: Blind LDAP Injection in Users Search |
| This content is not included.RHSSO-2693 | Console | PT Product Security: keycloak: account-console: users can delete their password |
| This content is not included.RHSSO-2700 | Server | RHSSO throwing java.lang.NullPointerException message Invalid redirect uri |
| This content is not included.RHSSO-2796 | Server | Storage Provider Timeout is not configurable |
| This content is not included.RHSSO-2822 | Server | Memory exhaustion vulnerability in server due to unrestricted loading of offline tokens |
| This content is not included.RHSSO-2857 | Server | Script for automatic heap size calculation is broken in OpenShift 4.14 |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.