RedHat: RHSA-2020-0445:01 Important: Red Hat Single Sign-On 7.3.6 security

    Date 05 Feb 2020
    474
    Posted By LinuxSecurity Advisories
    A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Red Hat Single Sign-On 7.3.6 security update
    Advisory ID:       RHSA-2020:0445-01
    Product:           Red Hat Single Sign-On
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0445
    Issue date:        2020-02-06
    CVE Names:         CVE-2019-10173 CVE-2019-10219 CVE-2019-14540 
                       CVE-2019-14892 CVE-2019-14893 CVE-2019-16335 
                       CVE-2019-16869 CVE-2019-16942 CVE-2019-16943 
                       CVE-2019-17267 CVE-2019-17531 
    =====================================================================
    
    1. Summary:
    
    A security update is now available for Red Hat Single Sign-On 7.3 from the
    Customer Portal.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    << AUTOMATICALLY GENERATED, EDIT PLEASE >>
    Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
    project, that provides authentication and standards-based single sign-on
    capabilities for web and mobile applications.
    
    This release of Red Hat Single Sign-On 7.3.6 serves as a replacement for
    Red Hat Single Sign-On 7.3.5, and includes bug fixes and enhancements,
    which are documented in the Release Notes document linked to in the
    References.
    
    Security Fix(es):
    
    * jackson-databind: enabling default typing leads to code execution
    (CVE-2019-17531)
    * netty: HTTP request smuggling by mishandled whitespace before the colon
    in HTTP headers (CVE-2019-16869)
    * jackson-databind: Serialization gadgets in classes of the p6spy package
    (CVE-2019-16943)
    * jackson-databind: Serialization gadgets in classes of the commons-dbcp
    package (CVE-2019-16942)
    * jackson-databind: Serialization gadgets in classes of the xalan package
    (CVE-2019-14893)
    * jackson-databind: Serialization gadgets in classes of the
    commons-configuration package (CVE-2019-14892)
    * jackson-databind: Serialization gadgets in classes of the ehcache package
    (CVE-2019-17267)
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariConfig (CVE-2019-14540)
    * jackson-databind: polymorphic typing issue related to
    com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)
    * hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)
    * xstream: remote code execution due to insecure XML deserialization
    regression (CVE-2019-10173)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1722971 - CVE-2019-10173 xstream: remote code execution due to insecure XML deserialization (regression of  CVE-2013-7285)
    1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS
    1755831 - CVE-2019-16335 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariDataSource
    1755849 - CVE-2019-14540 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig
    1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package
    1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package
    1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package
    1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in classes of the commons-dbcp package
    1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in classes of the p6spy package
    1758619 - CVE-2019-16869 netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers
    1775293 - CVE-2019-17531 jackson-databind: polymorphic typing issue when enabling default typing for an externally exposed JSON endpoint and having apache-log4j-extra in the classpath leads to code execution
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2019-10173
    https://access.redhat.com/security/cve/CVE-2019-10219
    https://access.redhat.com/security/cve/CVE-2019-14540
    https://access.redhat.com/security/cve/CVE-2019-14892
    https://access.redhat.com/security/cve/CVE-2019-14893
    https://access.redhat.com/security/cve/CVE-2019-16335
    https://access.redhat.com/security/cve/CVE-2019-16869
    https://access.redhat.com/security/cve/CVE-2019-16942
    https://access.redhat.com/security/cve/CVE-2019-16943
    https://access.redhat.com/security/cve/CVE-2019-17267
    https://access.redhat.com/security/cve/CVE-2019-17531
    https://access.redhat.com/security/updates/classification/#important
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXjvP+dzjgjWX9erEAQiA6w//bEZCBMap+/duSID0KMFutQbHVFKMbkMv
    UqTHTNZnPbsNYnmYvqL4X7/NqYU9768fUR1yHoiNjrwY4SdMh0o9JQ3TSfIxWCn1
    FoVqMsqtHWWJWHD8G54bxtP0HsJCLCXZd9WlqGTFfM+kpcAAqgNW0luyyzM+O4gd
    bXkPx4rxhqTc56WuUNFF9jtRAGe+PA49XqD2sAtAwfNAkmCCp1vbinffoG0D9tme
    zEMSuWieMm7BPYlvbdCY933cvG++mKJraI0pZqwtvUXHCbT9NQdLHUE/hcM+mDRP
    WFzkA6tHi2PzPA4LBCnivzQ6RvL3jT5R6X+GaQ+jaYwiZ+Bcgjnwvi+mzCqw5VDg
    gP1qyRFKaz9Rhknw9ORkchDJGqE9RnS3oOv8LVZ+3Ck9CRzuZ7sfWSNj4gke8ZGa
    f9ZdiKo/2lxPH2twbxTDiYHLRML40Mfrh9qtdsRswBvIxH0I+dn2yjL6/F4PB2y4
    xt3FTDR33YgXsVdY8jhAJZSE+5TVCH6jq/4wE4z/o5Vic1VJjjs8eE7Y9lao6NEn
    e3zeKtoHledPMD/AP+qRmuzlh/s5811/GURVo/L64G1AXOYAnF2HEuuPE4viZCDF
    8XlnGK/l6k+TXG+HVNkW/nKKLW6+chZ90LmJJGJLSFm/M4XeO4P/m2oS8AwULAHn
    S2Rt0bj/PBQ=
    =ouX7
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    How do you feel about the elimination of the terms 'blacklist' and 'slave' from the Linux kernel?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/32-how-do-you-feel-about-the-elimination-of-the-terms-blacklist-and-slave-from-the-linux-kernel?task=poll.vote&format=json
    32
    radio
    [{"id":"112","title":"I strongly support this change - racially charged language should not be used in the code and documentation of the kernel and other open-source projects.","votes":"3","type":"x","order":"1","pct":42.86,"resources":[]},{"id":"113","title":"I'm indifferent - this small change will not affect broader issues of racial insensitivity and white privilege.","votes":"2","type":"x","order":"2","pct":28.57,"resources":[]},{"id":"114","title":"I'm opposed to this change - there is no need to change language that has been used for years. It doesn't make sense for people to take offense to terminology used in community projects.","votes":"2","type":"x","order":"3","pct":28.57,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.