RedHat: RHSA-2020-0951:01 Important: Red Hat Single Sign-On 7.3.7 security

    Date 23 Mar 2020
    268
    Posted By LinuxSecurity Advisories
    A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: Red Hat Single Sign-On 7.3.7 security update
    Advisory ID:       RHSA-2020:0951-01
    Product:           Red Hat Single Sign-On
    Advisory URL:      https://access.redhat.com/errata/RHSA-2020:0951
    Issue date:        2020-03-23
    CVE Names:         CVE-2019-0205 CVE-2019-0210 CVE-2019-10086 
                       CVE-2019-12400 CVE-2019-14885 CVE-2019-14887 
                       CVE-2019-20330 CVE-2019-20444 CVE-2019-20445 
                       CVE-2020-1744 CVE-2020-7238 
    =====================================================================
    
    1. Summary:
    
    A security update is now available for Red Hat Single Sign-On 7.3 from the
    Customer Portal.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
    project, that provides authentication and standards-based single sign-on
    capabilities for web and mobile applications.
    
    This release of Red Hat Single Sign-On 7.3.7 serves as a replacement for
    Red Hat Single Sign-On 7.3.6, and includes bug fixes and enhancements,
    which are documented in the Release Notes document linked to in the
    References.
    
    Security Fix(es):
    
    * libthrift: thrift: Endless loop when feed with specific input data
    (CVE-2019-0205)
    
    * libthrift: thrift: Out-of-bounds read related to TJSONProtocol or
    TSimpleJSONProtocol (CVE-2019-0210)
    
    * commons-beanutils: apache-commons-beanutils: does not suppresses the
    class property in PropertyUtilsBean by default (CVE-2019-10086)
    
    * xmlsec: xml-security: Apache Santuario potentially loads XML parsing code
    from an untrusted source (CVE-2019-12400)
    
    * JBoss EAP: Vault system property security attribute value is revealed on
    CLI 'reload' command (CVE-2019-14885)
    
    * wildfly: The 'enabled-protocols' value in legacy security is not
    respected if OpenSSL security provider is in use (CVE-2019-14887)
    
    * jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)
    
    * netty: HTTP request smuggling (CVE-2019-20444)
    
    * netty: HttpObjectDecoder.java allows Content-Length header to accompanied
    by second Content-Length header (CVE-2019-20445)
    
    * netty: HTTP Request Smuggling due to Transfer-Encoding whitespace
    mishandling (CVE-2020-7238)
    
    * keycloak: failedLogin Event not sent to BruteForceProtector when using
    Post Login Flow with Conditional-OTP (CVE-2020-1744)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, and other related information, refer to the CVE page(s) listed in
    the References section.
    
    3. Solution:
    
    Before applying the update, back up your existing installation, including
    all applications, configuration files, databases and database settings, and
    so on.
    
    The References section of this erratum contains a download link (you must
    log in to download the update).
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol
    1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data
    1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
    1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default
    1770615 - CVE-2019-14885 JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command
    1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use
    1793154 - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking
    1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling
    1798509 - CVE-2019-20445 netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header
    1798524 - CVE-2019-20444 netty: HTTP request smuggling
    1805792 - CVE-2020-1744 keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2019-0205
    https://access.redhat.com/security/cve/CVE-2019-0210
    https://access.redhat.com/security/cve/CVE-2019-10086
    https://access.redhat.com/security/cve/CVE-2019-12400
    https://access.redhat.com/security/cve/CVE-2019-14885
    https://access.redhat.com/security/cve/CVE-2019-14887
    https://access.redhat.com/security/cve/CVE-2019-20330
    https://access.redhat.com/security/cve/CVE-2019-20444
    https://access.redhat.com/security/cve/CVE-2019-20445
    https://access.redhat.com/security/cve/CVE-2020-1744
    https://access.redhat.com/security/cve/CVE-2020-7238
    https://access.redhat.com/security/updates/classification/#important
    https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
    https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2020 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXnkYj9zjgjWX9erEAQiTHhAApXKm1HP2WZtfXz1C4xJeCFdehaI7rOzm
    JDER7JDvhtpll9JnPdO9mQe2EsP8o96vwH5lKJxE34Hi6sR4ROVjW+wpS2f4wF+R
    GV9LWAzSw6skxwhgYZKhwLjSMPndisDA8OUCFfB0k4lPWpHweNs1C25m1FPpK2/B
    0hZgzCN/VDVj/nDsv11bZT00EH83MxNOi9Jjj1kT9v1WE3cSCLrxyg3L3+p8d0QT
    aXfqOFJ8fLTDBIGwgqKfy9NnOxkR9AoiaeP9fnSJpLq3+YWS11ZD8Gmw2JayCtGe
    xS6FJAKHbu90cPM0mxDInBPwCQIm3XQEX0h0L+6bfGhcVuOmABdd3V/DURnHO/hZ
    NasO4LwlWx3hy32aRG53hLnbtQWHq1OFK0DGyU1RUEu1bDHCFqzJnT7HfS82gLJO
    lCDW5D3W1AYfJtr+Tr4z9m81yMWxzt8embrL81hmqYDxYEsDxS70FTXBPQlq4ERi
    lJ/QDJUhmW1B6qhSqMEPME1L3uu0BwlElfyLzCr7SIwuHEI5aK4LCZZ/hFulphTm
    I7nsdH1a/3PkDlmXzal7yRFhA7gwBO4//lHrarfALhxDtxQdC7mt9vZ4Tj2roO5U
    5PLxDyH9K5+ZjYU/BdNOWCZ0hzs0saagTxkGPT+AbZJmY2IYNNuQZdb/nbo7ihWm
    AKt6O8M5K9Q=
    =dKyX
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    Are you considering making the switch to Purism's new Librem 14 Linux laptop to improve your security and privacy online?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/31-are-you-considering-making-the-switch-to-purism-s-new-librem-14-linux-laptop-to-improve-your-security-and-privacy-online?task=poll.vote&format=json
    31
    radio
    [{"id":"109","title":"Yes - the hardware kill switches and default ad blocking\/tracking protection sold me on it.","votes":"2","type":"x","order":"1","pct":33.33,"resources":[]},{"id":"110","title":"Not sure yet - I need to do more research.","votes":"3","type":"x","order":"2","pct":50,"resources":[]},{"id":"111","title":"No - I'm satisfied with my current laptop and have no security\/privacy concerns.","votes":"1","type":"x","order":"3","pct":16.67,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.