Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

RHEL-8: RHSA-2022:8964-01 Important Security Update for rh-sso-7/sso76

red hat
Calendar Grey December 13, 2022
Dist Redhat Esm H88
Important patch for rh-sso-7, enhances safety and reliability of RHEL-8 Middleware Containers.
Updated rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 based Middleware Containers

Solution

The RHEL-8 based Middleware Containers container image provided by this update can be downloaded from the Red Hat Container Registry at registry.access.redhat.com. Installation instructions for your platform are available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image specifically, or to the latest image generally.

Summary

The rh-sso-7/sso76-openshift-rhel8 container image and rh-sso-7/sso7-rhel8-operator operator has been updated for RHEL-8 based Middleware Containers to address the following security issues.
Security Fix(es):
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Users of rh-sso-7/sso76-openshift-rhel8 container images and rh-sso-7/sso7-rhel8-operator operator are advised to upgrade to these updated images, which contain backported patches to correct these security issues, fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.
You can find images updated by this advisory in Red Hat Container Catalog (see References).

Topics%20covered

Topics Covered

security advisory middleware container image operator update RHEL-8

References

https://access.redhat.com/security/cve/CVE-2016-3709 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-3916 https://access.redhat.com/security/cve/CVE-2022-22624 https://access.redhat.com/security/cve/CVE-2022-22628 https://access.redhat.com/security/cve/CVE-2022-22629 https://access.redhat.com/security/cve/CVE-2022-22662 https://access.redhat.com/security/cve/CVE-2022-26700 https://access.redhat.com/security/cve/CVE-2022-26709 https://access.redhat.com/security/cve/CVE-2022-26710 https://access.redhat.com/security/cve/CVE-2022-26716 https://access.redhat.com/security/cve/CVE-2022-26717 https://access.redhat.com/security/cve/CVE-2022-26719 https://access.redhat.com/security/cve/CVE-2022-27404 https://access.redhat.com/security/cve/CVE-2022-27405 https://access.redhat.com/security/cve/CVE-2022-27406 https://access.redhat.com/security/cve/CVE-2022-30293 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-42898 https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rh-sso-7/sso76-openshift-rhel8 https://access.redhat.com/security/updates/classification/#important

Package List


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2022:8964-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:8964
Issue date: 2022-12-13

Topic

Updated rh-sso-7/sso76-openshift-rhel8 container image andrh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 basedMiddleware Containers.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory middleware container image operator update RHEL-8

Relevant Releases Architectures

Bugs Fixed

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding

2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens

5. JIRA issues fixed (https://issues.redhat.com/):

CIAM-4412 - Build new OCP image for rh-sso-7/sso76-openshift-rhel8

CIAM-4413 - Generate new operator bundle image for this patch

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here