Red Hat: RHSA-2018:3595 Moderate: Single Sign-On Auth Issues and Fixes
Nov 13, 2018
•
LinuxSecurity Advisories
2 - 4 min read
A security update is now available for Red Hat Single Sign-On 7.2 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
==================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat Single Sign-On 7.2.5 security and bug fix update
Advisory ID: RHSA-2018:3595-01
Product: Red Hat Single Sign-On
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3595
Issue date: 2018-11-13
CVE Names: CVE-2018-10894 CVE-2018-14627 CVE-2018-14655
CVE-2018-14657 CVE-2018-14658
====================================================================
1. Summary:
A security update is now available for Red Hat Single Sign-On 7.2 from the
Customer Portal.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Single Sign-On 7.2 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.2.5 serves as a replacement for
Red Hat Single Sign-On 7.2.4, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* keycloak: auth permitted with expired certs in SAML client
(CVE-2018-10894)
* JBoss/WildFly: iiop does not honour strict transport confidentiality
(CVE-2018-14627)
* keycloak: XSS-Vulnerability with response_mode=form_post (CVE-2018-14655)
* keycloak: Open Redirect in Login and Logout (CVE-2018-14658)
* keycloak: brute force protection not working for the entire login
workflow (CVE-2018-14657)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2018-10894 issue was discovered by Benjamin Berg (Red Hat).
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1599434 - CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client
1624664 - CVE-2018-14627 JBoss/WildFly: iiop does not honour strict transport confidentiality
1625396 - CVE-2018-14655 keycloak: XSS-Vulnerability with response_mode=form_post
1625404 - CVE-2018-14657 keycloak: brute force protection not working for the entire login workflow
1625409 - CVE-2018-14658 keycloak: Open Redirect in Login and Logout
5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
JBEAP-15587 - Tracker bug for the RH-SSO 7.2.5 release for RHEL7
6. References:
https://access.redhat.com/security/cve/CVE-2018-10894
https://access.redhat.com/security/cve/CVE-2018-14627
https://access.redhat.com/security/cve/CVE-2018-14655
https://access.redhat.com/security/cve/CVE-2018-14657
https://access.redhat.com/security/cve/CVE-2018-14658
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.2
https://access.redhat.com/documentation/en-us/red_hat_single_sign_on/?version=7.2
7. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW+sWFdzjgjWX9erEAQiuDw//fgqrRNz1txJY0aKnjHZIZS2lNnFfr11+
ofWZugIWemmpeRAGRrz02zKQ9psZm7m/ES2HL6tNgngdLfVfwgKxbnp7Tf4BP5wN
fhKSldEraSuusgmCKFM5DWrMM0CaTeKXbjIIrRTXw9Db27Me+oKiGhiJoMlRKwAF
VPn3xNrkXvM8aUkKuWnr+gaCf9YZqxtnfwbijyqWEbqid/qKO1E+BME/YQ6HWgfP
As8KmE1gjgAmkyLLqOM3XET/tIikpWp+O3TWAc/fPW3mN5X08IwS2DdBjXvCIC0z
p0g2EqSBBgFOGST3OT5ZW9WF0aOWP+zMNE4pbOmiZB9G6NX8QcB511wre8FLStfS
WtD1wYNGTH8iPwiSHLa7sl9hlkDEGVLrUwPiw4x6kIYGigJGsQQswq6a7sCUAplI
6f2HYqoVoPH1/CyGk4tAd+G9JeaBf0KX41SQIwZR6ecKXYNqSyjnGUMBpqL50QIc
hO4v6Vp2aytFSUHJinlzD0EQa/vQPpZHBpxP8gB97a7MgE+PzrTFqTnJKDDVHCk3
BsPOudi3uyMNMBVNS5Rxpm9YmyLDNfVV/sjWxNLfiHB4SEJodfNY7+pPJPqtoVCt
3xsr7/ZEZhpCZuWYNHqd+Qvg73DdyP1cMOpYaJckmbrllxIDaYTdaMvYh+cinGf6
PAak4rmtEpc=uZwS
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Warning: Undefined array key "solution" in /var/www/www.linuxsecurity.com-443/html/lsadvisories/lsadvisories.php on line 316
Red Hat: RHSA-2018:3595 Moderate: Single Sign-On Auth Issues and Fixes
red hat
November 13, 2018
A security update is now available for Red Hat Single Sign-On 7.2 from the Customer Portal
Solution
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
Summary
Red Hat Single Sign-On 7.2 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.2.5 serves as a replacement for
Red Hat Single Sign-On 7.2.4, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.
Security Fix(es):
* keycloak: auth permitted with expired certs in SAML client
(CVE-2018-10894)
* JBoss/WildFly: iiop does not honour strict transport confidentiality
(CVE-2018-14627)
* keycloak: XSS-Vulnerability with response_mode=form_post (CVE-2018-14655)
* keycloak: Open Redirect in Login and Logout (CVE-2018-14658)
* keycloak: brute force protection not working for the entire login
workflow (CVE-2018-14657)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
The CVE-2018-10894 issue was discovered by Benjamin Berg (Red Hat).
References
https://access.redhat.com/security/cve/CVE-2018-10894 https://access.redhat.com/security/cve/CVE-2018-14627 https://access.redhat.com/security/cve/CVE-2018-14655 https://access.redhat.com/security/cve/CVE-2018-14657 https://access.redhat.com/security/cve/CVE-2018-14658 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.2 https://access.redhat.com/documentation/en-us/red_hat_single_sign_on/?version=7.2
Package List
Advisory ID: RHSA-2018:3595-01
Product: Red Hat Single Sign-On
Advisory URL: https://access.redhat.com/errata/RHSA-2018:3595
Issue date: 2018-11-13
Topic
A security update is now available for Red Hat Single Sign-On 7.2 from theCustomer Portal.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.
Relevant Releases Architectures
Warning: Undefined array key "relevant_releases_architectures" in /var/www/www.linuxsecurity.com-443/html/tmp/regularlabs/custom_php/34212_3e4bf4acb8c07dfea38b8147414a3c74 on line 11
Warning: Undefined array key "relevant_releases_architectures" in /var/www/www.linuxsecurity.com-443/html/tmp/regularlabs/custom_php/34212_3e4bf4acb8c07dfea38b8147414a3c74 on line 16
Bugs Fixed
1599434 - CVE-2018-10894 keycloak: auth permitted with expired certs in SAML client
1624664 - CVE-2018-14627 JBoss/WildFly: iiop does not honour strict transport confidentiality
1625396 - CVE-2018-14655 keycloak: XSS-Vulnerability with response_mode=form_post
1625404 - CVE-2018-14657 keycloak: brute force protection not working for the entire login workflow
1625409 - CVE-2018-14658 keycloak: Open Redirect in Login and Logout
5. JIRA issues fixed (https://redhat.atlassian.net/jira/projects):
JBEAP-15587 - Tracker bug for the RH-SSO 7.2.5 release for RHEL7
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!