Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 3 articles for you...
98
security advisoryred hatimportantRed Hat: RHSA-2022:8961-01 Important: Keycloak Session Takeover
New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.6.1 security update on RHEL 7 Advisory ID: RHSA-2022:8961-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2022:8961 Issue date: 2022-12-13 CVE Names: CVE-2022-3782 CVE-2022-3916 ==================================================================== 1. Summary: New Red Hat Single Sign-On 7.6.1 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.6 for RHEL 7 Server - noarch 3. Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.1 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes the security fixes listed below. Security Fix(es): * keycloak: path traversal via double URL encoding (CVE-2022-3782) * keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includesthe changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens 6. JIRA issues fixed (https://issues.redhat.com/): CIAM-4414 - Build RPMs for this patch 7. Package List: Red Hat Single Sign-On 7.6 for RHEL 7 Server: Source: rh-sso7-keycloak-18.0.3-1.redhat_00002.1.el7sso.src.rpm noarch: rh-sso7-keycloak-18.0.3-1.redhat_00002.1.el7sso.noarch.rpm rh-sso7-keycloak-server-18.0.3-1.redhat_00002.1.el7sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-3916 https://access.redhat.com/security/updates/classification/#important 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY5ipotzjgjWX9erEAQjCBA//UBYUDvesP1x2wXWYvnR28asrOWhGk7tA n2G9Rf8/9jkZS2QetFy9xLsSBVGEOz+4ZhnyMST5XgjRkdpC+TcpcjgkgZ+w3V6X fSfbeyC3SvxK9S8+s59yrRHmBbkXBhlJf37BEXhWaJXJ0FTO72NvPM1vUWRKWW1w vK5/CW27UBTqxNgpXSiBeO/rIVRbknVCxD+YXQlwaGW8+jvxWzo/8JJ/nshJ1bDg 5Q3mC6kuv5SFpF4UhjGBQAuw+COoMZ+4FNRSUNWuErpvPd1YpEDyEEfxT1tArZDM IKWxpaVSNnFvKrkAqFUs6uuNiW/vzc+Sm7u79Ax0o6WUpD3J3t7oAstS8FWHM6qL WFuEUv0sKROLtR1o1IxROwjlMRyJXhTKwNZI3A8xG762/tFX9N0y1tJFO5rm/Wqf cXsi9fily473Y+JCnTNQS0rrwhy3ZV2w3SFM1lcrgMA5Y3BuRYqz63yLq8EsYMwX hW/1TgBj0QBP5QLlncs9eFF+vfvSFMq5780JJhniTkmdfLtuIPlWhFPjpwcA0XKY K+pVXDSfZ76V4mZaNKN8JQnps/xvbc7rUHjWZ8MCi2PDnZwpzj2KT+WjI31YsQbe 5CHaMYS5ikZ3P2xHQIqaacAmEUqrYHo1dI75KZ9azjXcubgMk5/KNXD+gmo0bmnX uI04HxR4UHc=9d1O -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Dec 13, 2022
•Important
Red Hat
98
security advisoryRed Hataccess controlRed Hat Single Sign-On 7.5: RHSA-2021-5219 Important Security Patch
A security update is now available for Red Hat Single Sign-On 7.5 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On security update on RHEL 8 Advisory ID: RHSA-2021:5219-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2021:5219 Issue date: 2021-12-20 CVE Names: CVE-2021-4133 ==================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.5 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.4 for RHEL 8 - noarch 3. Description: Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This is an asynchronous patch for Red Hat Single Sign-On 7.5, and includes one security fix. Security Fix: * keycloak: Incorrect authorization allows unpriviledged users to create other users (CVE-2021-4133) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, referto: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2033602 - CVE-2021-4133 Keycloak: Incorrect authorization allows unpriviledged users to create other users 6. Package List: Red Hat Single Sign-On 7.4 for RHEL 8: Source: rh-sso7-keycloak-15.0.2-3.redhat_00002.1.el8sso.src.rpm noarch: rh-sso7-keycloak-15.0.2-3.redhat_00002.1.el8sso.noarch.rpm rh-sso7-keycloak-server-15.0.2-3.redhat_00002.1.el8sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-4133 https://access.redhat.com/security/updates/classification#important https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.5 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYcDdsdzjgjWX9erEAQjCjA/+KIlIiMbC0ZFeoMKgl1YChugum1oQWWIc Nym8fZN9rU6k0Py/Xp8tTHKpFo0rF1IhgnzvkmaU3VeIHL2yxxpoSjzKpZKy+pgV 7+W2850a5ygG6egZtige+RB6mpWZlyEuaXr2SBhX3f2CXgG42vIqu5jeKqn6kyBG Zt6F+EG/i2ABmNuAOeL5Rpvb4ihEIlqsTcaYsQb4HtM7ozBoxXQB4LE1HS9KQZWh 5eMlpnRauWklAIIE2X72Vt7gjjbatmxmi/BHNeWige7iKtsHZzIAyoZOJ8TRgK2k EqdtRVmcRKRwu64wa6aL1ry8BXbyIs0jgRTwNx09tqHwWjtJkr9w+C/bvNhQXaMU Gz4oRws8kgQcMiCAkM9eAam8PnuD84b0EPvZI4YwLi9/PZ6P4/1Oz4+imas7uP67 G1QRKhjjxdXgwqrH8rv8FdTtIkNrPpUG0Ebxz/fTpshVkzIKxU19oOIs9T3G3shF FVNQBUSaffk6fKIX66cfoIiz6FNjCzPjTRqkPAhIzekISvZE+jt6UOD34aJqp9ku cMhp3LbK2uAYOkKlHWe6RNIhYDnliCNyP8K/dNNtgeW7sgSp7BnJ/5QPuzgkkr26 l9xiPN6W/h2vAVNwYImYSUSQ5Wi/pT9+VYTd9kOgZxkylLalvQYhwPT7KAfAN3lO /CI0iyhfwR0=RdiR -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Dec 20, 2021
•Important
Red Hat
198
security advisoryhigh severitycross-site scriptingArch Linux: ASA-202105-6 High Severity: Keycloak Multiple Issues
The package keycloak before version 13.0.0-1 is vulnerable to multiple issues including cross-site scripting, information disclosure and insufficient validation. . Arch Linux Security Advisory ASA-202105-6 ======================================== Severity: High Date : 2021-05-19 CVE-ID : CVE-2020-14302 CVE-2020-27838 CVE-2021-3513 CVE-2021-20202 CVE-2021-20222 Package : keycloak Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1926 Summary ====== The package keycloak before version 13.0.0-1 is vulnerable to multiple issues including cross-site scripting, information disclosure and insufficient validation. Resolution ========= Upgrade to 13.0.0-1. # pacman -Syu "keycloak> =13.0.0-1" The problems have been fixed upstream in version 13.0.0. Workaround ========= None. Description ========== - CVE-2020-14302 (insufficient validation) A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks. - CVE-2020-27838 (information disclosure) A security issue was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. - CVE-2021-3513 (information disclosure) A security issue was found in keycloak before version 13.0.0 where brute force attacks are possible even when the permanent lockout feature is enabled because of the wrong error message that is displayed when wrong credentials are entered. - CVE-2021-20202 (information disclosure) A security issue was found in keycloak before version 13.0.0. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker tohave access to the contents that keycloak stores in this directory. - CVE-2021-20222 (cross-site scripting) A security issue was found in keycloak before version 13.0.0. The new account console in keycloak can allow malicious code to be executed using the referrer URL. Impact ===== A remote attacker could perform replay attacks, obtain information about CONFIDENTIAL clients, brute force account credentials, or execute arbitrary code through cross-site scripting. A local attacker could access sensitive information stored in temporary directories. References ========= https://bugzilla.redhat.com/show_bug.cgi?id=1849584 https://github.com/keycloak/keycloak/pull/7807 https://github.com/keycloak/keycloak/commit/41dc94fead4c20560e0dd96c3efbd7bd10a484b6 https://bugzilla.redhat.com/show_bug.cgi?id=1906797 https://github.com/keycloak/keycloak/pull/7790 https://github.com/keycloak/keycloak/commit/9356843c6c3d7097d010b3bb6f91e25fcaba378c https://bugzilla.redhat.com/show_bug.cgi?id=1953439 https://github.com/keycloak/keycloak/pull/7976 https://github.com/keycloak/keycloak/commit/315b9e3c2970145e03dfaaddc364d588c9ebf060 https://bugzilla.redhat.com/show_bug.cgi?id=1922128 https://github.com/keycloak/keycloak/commit/853a6d73276849877819f2dc23133557f6e1e601 https://bugzilla.redhat.com/show_bug.cgi?id=1924606 https://github.com/keycloak/keycloak/pull/7868 https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741 https://security.archlinux.org/CVE-2020-14302 https://security.archlinux.org/CVE-2020-27838 https://security.archlinux.org/CVE-2021-3513 https://security.archlinux.org/CVE-2021-20202 https://security.archlinux.org/CVE-2021-20222 . Versions of Keycloak prior to 13.0.0-1 possess significant security flaws, encompassing risks like cross-site scripting and unintentional data disclosures.. Keycloak Security, Arch Linux Security, Cross-Site Scripting Issues. . LinuxSecurity.com Team
May 20, 2021
ArchLinux
98
security advisorymoderateRed HatRed Hat 7.4.7 RHSA-2021:2070-01 Moderate: Single Sign-On Security Fixes
A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.4.7 security update Advisory ID: RHSA-2021:2070-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2021:2070 Issue date: 2021-05-20 CVE Names: CVE-2021-3424 CVE-2021-3461 CVE-2021-21290 CVE-2021-21295 ==================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.7 serves as a replacement for Red Hat Single Sign-On 7.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * netty: Information disclosure via the local system temporary directory (CVE-2021-21290) * netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295) * keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP (CVE-2021-3461) * keycloak: Internationalized domain name (IDN) homograph attack to impersonate users(CVE-2021-3424) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1933320 - CVE-2021-3424 keycloak: Internationalized domain name (IDN) homograph attack to impersonate users1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1941565 - CVE-2021-3461 keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP 5. References: https://access.redhat.com/security/cve/CVE-2021-3424 https://access.redhat.com/security/cve/CVE-2021-3461 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/updates/classification#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.4 https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.4 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYKahltzjgjWX9erEAQhxlBAAo/JqfCqNLqDDvmGEyEfrjOM4xjJrpODp psudtB1aYun6VNfpZO/wdUngZv299EOZAEqPmgVqETVVP975JY6NtH7yn/jczAXe gDo29WHG1rcSOsWmWgpeJYKq2a70X909jShiXjSPYz+g8MSODPHcVYpTA0/gnQl7 AYfmmm9UbX+weVS5vBdk2R0NFR3VPEobhPOSAXDwo5CEew4PQzr/IGDaHglTA5wc xEv2/4Bl+IO4I7QZeFOWeTCVFE3e1OkUe9kQfGCd96oYW/YXXe7IA1ReIMlV/8o9 5JLKDU6JLoGQVzlQ4PRpINxrk2/VzrOQvbL6hT+2T+NsjdOW56mnlUhLEetgfVjA ju1ATrHekp1+sDSvLiWPsQSIljcaZwn9Vq5E7rmLJ/7IqIGGH8wBVW5Vy3764sdU 06aJXuLFeWuUIEsyvObQDy5qmaGA/tVlYbPgEzANVM/TpFuPFdgOFiUjq5+Hy2qH by40ENo0e3qlg5v5Vlgi+4WtyKov0Wkareo5P8KtD/ZdZzLV3knriTmdPSpG6h5A wV5fh1i/bCzWVW/6qNHcg5jPWtc29CEY7Sh182Xf1+esN5eoXia4VRzRhGAIRTkK UofJYaUACkgP5e7G7IM2uJ+uhWUeUZJOOuEXgn4/+FWTJJXn5a/zHOiDFPUUyBEj S2bSBd6lSWE=T4yq -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 20, 2021
•Important
Red Hat
98
security advisorymoderatesecurity issueRed Hat Enterprise Linux 6: RHSA-2021-2063-01 Moderate Fix for SSO Security
New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.4.7 security update on RHEL 6 Advisory ID: RHSA-2021:2063-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2021:2063 Issue date: 2021-05-20 CVE Names: CVE-2021-3424 CVE-2021-3461 ==================================================================== 1. Summary: New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.4 for RHEL 6 Server - noarch 3. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.7 serves as a replacement for Red Hat Single Sign-On 7.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP (CVE-2021-3461) * keycloak: Internationalized domain name (IDN) homograph attack to impersonate users (CVE-2021-3424) For more details about the security issue(s), including the impact, a CVSS score, and other relatedinformation, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1933320 - CVE-2021-3424 keycloak: Internationalized domain name (IDN) homograph attack to impersonate users1941565 - CVE-2021-3461 keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP 6. Package List: Red Hat Single Sign-On 7.4 for RHEL 6 Server: Source: rh-sso7-keycloak-9.0.13-1.redhat_00006.1.el6sso.src.rpm noarch: rh-sso7-keycloak-9.0.13-1.redhat_00006.1.el6sso.noarch.rpm rh-sso7-keycloak-server-9.0.13-1.redhat_00006.1.el6sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-3424 https://access.redhat.com/security/cve/CVE-2021-3461 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.4/html/release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYKZaHNzjgjWX9erEAQhedQ//XqT0sx2WjPqqE0TEDZb/fIvAYH1LwMqC XhZ03YxxrGFAuTAJXjOJ/IyMxRZsDmSlW7hSsaHoq3pmsz8P2UbIUdw5Qy/foDrk IQlg4ZXnIiiYSIZjUQ4qR6iB70sb8M7a0mstO3nPbWui7mo8QWmD48KMjzvYolMp LWeE8+VaoYRXqTitKADN0CANQKVdgGpiZev9ReQOlvdjYtuKELVwQJHF7M4s979x zzawIUO7116RyiY6X/FwduXWRWCR22vfFtoz2lUK7VLOtZU0/Ux2HjSQBXppLh+u B7YnAaDGBlBx9e7ghBJv8ij8abmirb5LN7BkAgp5Cq1WsESWJnrB5r93+hvDCVJb NxGZhzeZk4CfApV53E6LODqwWlxZV/MTv7uPl8gpZSdH02SFGnPeZOYkQkWg4xRt Ssx0KYcEv5f98ALB+4VEXx4NJVe3dv+dN1KHsjejX2U4f7ryr2tji43QYMf4cG7r rPO0diqkJf+puRDLTyBjYVmmKW7Lrp/hd3Y+2Yn+3BiW8Q235T2ZOgtPGo1pvTFK I3Dp8vaYenetPc9J9/dsyEisaGcUCT5iJHp3S+OlPQ4xyeTMntvncXy6zlpwQEjf EWkDSW2o/rNMYod2tnOHgxltAe2UMgEmZLIR9VbT+zfwUFakMplTh10gTXFTNzn5 W3gnz2rYrAQ=kXbw -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 20, 2021
Red Hat
98
security advisorymoderateRed HatRed Hat: RHSA-2021-2064-01 Moderate: Keycloak Security in RHEL 7
New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.4.7 security update on RHEL 7 Advisory ID: RHSA-2021:2064-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2021:2064 Issue date: 2021-05-20 CVE Names: CVE-2021-3424 CVE-2021-3461 ==================================================================== 1. Summary: New Red Hat Single Sign-On 7.4.7 packages are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.4 for RHEL 7 Server - noarch 3. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.7 serves as a replacement for Red Hat Single Sign-On 7.4.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP (CVE-2021-3461) * keycloak: Internationalized domain name (IDN) homograph attack to impersonate users (CVE-2021-3424) For more details about the security issue(s), including the impact, a CVSS score, and other relatedinformation, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1933320 - CVE-2021-3424 keycloak: Internationalized domain name (IDN) homograph attack to impersonate users1941565 - CVE-2021-3461 keycloak: Backchannel logout not working when Principal Type is set to Attribute Name for external SAML IDP 6. Package List: Red Hat Single Sign-On 7.4 for RHEL 7 Server: Source: rh-sso7-keycloak-9.0.13-1.redhat_00006.1.el7sso.src.rpm noarch: rh-sso7-keycloak-9.0.13-1.redhat_00006.1.el7sso.noarch.rpm rh-sso7-keycloak-server-9.0.13-1.redhat_00006.1.el7sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key 7. References: https://access.redhat.com/security/cve/CVE-2021-3424 https://access.redhat.com/security/cve/CVE-2021-3461 https://access.redhat.com/security/updates/classification#moderate https://docs.redhat.com/en/documentation/red_hat_single_sign-on/7.4/html/release_notes/index 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBYKZaAdzjgjWX9erEAQhVPBAAkH4M8/j6Ld03c9/26r3hDi3wZDND+TQg x2nTGHfXfd4/B3I7fNyHjkAQbaaML0VGFnczZRKrPr1BnEkkzQ/uI5DBHBueQHi2 DCPQFJD7j1qXEhL8cNLt8R+dkuUMsNOyoH5llhxYQGuyysiJ2aHfw0NZBm9wnuL+ FzouoxBDoFbStEYMXmR2uucIhM+wbPFFXvO2JO8OnTh2aBbkcKiVEfiHLZPHk2j3 sXrOkZgVjscPLYOQBWm+Hutll+vaULUAxk3u8GOI3raJQtDCSHqWlHcX+vp7uOLo ETDn/jLCOs+T3FdwX2VbHxpyizaKBt1njmXSTMtTEQdA0ifpvRq27FNhUBzC4CAv Bsdx/6cG1oK6vvqCcjk9XREV/GJNSVLEsdlSzkIXO7hOvQeYOCIXfkk0QNYbGIvK UgnRCROL3CDF79wwhGdP763lck6BkzHKd1QwFgs9KC/g68aEL+vWlVZYNC0MGJDn hGZO4pqL8istivH/jymk9qp0E78dVrxg4UtgY1rfkIYZ1luFy1On1oXvvlpkl01U QvHgIxQWmVfMZfXUoeAfJqRIfAmkYeeywslaqEPwJN20IWsYAeURlb1UDqX28Je4 QMCoVvLZU7UsSTKBnketOj/g0Oqnft33qtruG+h5+ICdRV3Eq1M9Ry5BmuHoM6L6 RCs6dncrK9I=bn9q -----END PGP SIGNATURE----- -- RHSA-announce mailing list
May 20, 2021
•Important
Red Hat
198
security advisoryhigh severitysecurity issueArch Linux ASA-202102-29 High Severity XSS Risk in Keycloak
The package keycloak before version 12.0.3-1 is vulnerable to cross- site scripting. . Arch Linux Security Advisory ASA-202102-29 ========================================= Severity: High Date : 2021-02-20 CVE-ID : CVE-2021-20195 Package : keycloak Type : cross-site scripting Remote : Yes Link : https://security.archlinux.org/AVG-1578 Summary ====== The package keycloak before version 12.0.3-1 is vulnerable to cross-site scripting. Resolution ========= Upgrade to 12.0.3-1. # pacman -Syu "keycloak> =12.0.3-1" The problem has been fixed upstream in version 12.0.3. Workaround ========= None. Description ========== A security issue was found in keycloak before version 12.0.3. A self stored cross-site scripting (XSS) attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. Specifically, the Account page does not HTML-encode the user first name, and last name, which means a malicious HTML code, which executes malicious Javascript code, can be embedded into the Account page. Even though the malicious Javascript code is linked to the attacker user (Self-XSS), it can be exploited on the Keycloak admin browser, using the Impersonation functionality, and thus the attacker is able to compromise Keycloak. Impact ===== A malicious user can execute arbitrary code in Keycloak's account page possibly compromising Keycloak's admin account. References ========= https://bugzilla.redhat.com/show_bug.cgi?id=1919143 https://github.com/keycloak/keycloak/commit/87422b77aee787c6c55ca22fde31c60bcfe4c7f7 https://security.archlinux.org/CVE-2021-20195 . The advisory ASA-202110-15 from Arch Linux brings to attention a severe CORS vulnerability in strapi prior to version 3.6.8-1, necessitating an urgent patch.. Keycloak Security, ArchLinux Advisory, XSS Threat, Account Compromise, Software Patch. . LinuxSecurity.com Team
Feb 25, 2021
ArchLinux
98
security advisoryred hatremote code executionRedHat: RHSA-2020:2814-01 Important: RH-SSO 7.4.1 Remote Code Execution
A security update is now available for Red Hat Single Sign-On 7.4.1 adapters for Red Hat JBoss Enterprise Application Platform 7.3 Red Hat Product Security has rated this update as having a security impact of. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: RH-SSO 7.4.1 adapters for Red Hat JBoss Enterprise Application Platform 7 Advisory ID: RHSA-2020:2814-01 Product: Red Hat JBoss Enterprise Application Platform Advisory URL: https://access.redhat.com/errata/RHSA-2020:2814 Issue date: 2020-07-02 CVE Names: CVE-2020-1714 ==================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.4.1 adapters for Red Hat JBoss Enterprise Application Platform 7.3 Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss EAP 7.3 for BaseOS-8 - noarch Red Hat JBoss EAP 7.3 for RHEL 6 Server - noarch Red Hat JBoss EAP 7.3 for RHEL 7 Server - noarch 3. Description: Packages: Red Hat Single Sign-On 7.4.1 adapters for Red Hat JBoss Enterprise Application Platform 7.3 Security Fix(es): * keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed(https://bugzilla.redhat.com/): 1705975 - CVE-2020-1714 keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution 6. JIRA issues fixed (https://issues.redhat.com/): KEYCLOAK-13957 - Create RPMs for the RH-SSO 7.4.1 adapters for EAP7 7. Package List: Red Hat JBoss EAP 7.3 for RHEL 6 Server: Source: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el6eap.src.rpm noarch: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el6eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_4-9.0.4-1.redhat_00001.1.el6eap.noarch.rpm Red Hat JBoss EAP 7.3 for RHEL 7 Server: Source: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el7eap.src.rpm noarch: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el7eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_4-9.0.4-1.redhat_00001.1.el7eap.noarch.rpm Red Hat JBoss EAP 7.3 for BaseOS-8: Source: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el8eap.src.rpm noarch: eap7-keycloak-adapter-sso7_4-9.0.4-1.redhat_00001.1.el8eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_4-9.0.4-1.redhat_00001.1.el8eap.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2020-1714 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/ 9. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBXv3jhtzjgjWX9erEAQgbRQ//ZudbG/tllELWesMM/duq65/Lhe6ytRhc G9G4EE2rBM/ZcM4kWyUAi5P48hrZR8BjDRNB09fRxyxTu4qBPx3lCbz4Mw1ndObj fZZ6EAOJKTJHpsgNP31hkhmkZ3KuHkvPlIAZSp6/ebEr266vyDXGJXQ7+XNZWKpq d/o+ztHr2kXu9fhc6FnMPNBIGtE9IhY7Xnho7zNCyQX0WJ5J1sFoTGy03UmcRr4n bUHl37qfJyydW1DwZjt3Qs94Hn8pBKSDv0XppLklOghzC8hK8usTZvqu5PkxzvUF 1VYZ1YwN7t5Q9xwxG3uGIROJRPzCVxPEIIqyhfesQLWU8fDHhoAWyFN5nHxsLaJG rLqecNNLSzwRPmfu12PtaCJvZvsDokeErsrW88DsnuB0UOVBNY1080zvj/8Ozvdm 4WZYxL1tyahcczTj7IEMBstYIxxOgKje6/lXhhG6MEYedfER+AGSGtnuXChB2SEw RTKxBG9mavLjazCmAx00tzeMKAT4M7VSfB70GLoliOsHkFpFbeFrYiz/Tni/uN3q kTRUKOasfKRngBNhR1/Af69s2idS9T32kRgfTYRLVhlivuE0FQ5EzI/IyQN8FXME 2+9fEjj92jRLa7t2yrnvrb318mlbXKlmLAkLZygjsSIqMDrH5zC7CJsun62J3GOK LFWKe3OCrMw=1EL6 -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jul 02, 2020
•Important
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!