Red Hat Single Sign-On 7.6 Update 10 Release Notes
This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.6. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.6 will continue until RH-SSO 7.6 is end of life.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.4 Update 18. See the JBoss Enterprise Application Platform 7.4 Update 18 Release Notes for a list of changes included in that release.
Download This content is not included.Red Hat Single Sign-On 7.6 Update 10
Resolved Issues
This update includes fixes for the following security related issues:
| ID | Summary |
|---|---|
| CVE-2024-4629 | An attacker could potentially bypass brute force protection by launching multiple parallel login attempts in parallel. |
| CVE-2024-7341 | Session fixation in elytron SAML adapters for better protection against a possible Cookie hijacking. |
| CVE-2024-5967 | Leak of configured LDAP bind credentials through the Keycloak admin console. Possibility to change the hostURL to the attackers machine with the appropriate permission. |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| This content is not included.RHSSO-2659 | send-verify-email is sending emails like execute-actions-email | |
| This content is not included.RHSSO-2714 | Backport concurrent session cleanup to prevent from deadlocks | |
| This content is not included.RHSSO-2787 | After impersonating a user it uses same AUTH_SESSION_ID while hitting /required-action endpoint | |
| This content is not included.RHSSO-2789 | When upgrading from RH SSO 7.5, the resulting 'standalone.xml' configuration file is inconsistent depending on the version from RH SSO 7.6 | |
| This content is not included.RHSSO-2888 | Option for "Suppress logout confirmation screen" | |
| This content is not included.RHSSO-2947 | SSO Failed authentication for any user after deleting one client without having previously deleted the role mapper of this client | |
| This content is not included.RHSSO-3053 | Update the CLI installation scripts for the SAML Elytron adapter | |
| This content is not included.RHSSO-3108 | Realm cannot be deleted if there are tons of consents | |
| This content is not included.RHSSO-3109 | Brute force protection: Successfully logged in user should not have to wait up to 5 seconds for event processing | |
| This content is not included.RHSSO-3110 | DirectAccessGrantsLoginModule logs at WARN level | |
| This content is not included.RHSSO-3121 | Pass webauthn signature algorithm IDs as integers instead of strings | |
| This content is not included.RHSSO-3122 | Login / Admin events filter by date under realm Events return incorrect results |
Installation
Note: This update should only be applied to zip-based installations.
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.6 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.