-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.6.2 security update on RHEL 8 Advisory ID: RHSA-2023:1044-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2023:1044 Issue date: 2023-03-01 CVE Names: CVE-2018-14040 CVE-2018-14042 CVE-2019-11358 CVE-2020-11022 CVE-2020-11023 CVE-2021-35065 CVE-2021-44906 CVE-2022-1274 CVE-2022-1438 CVE-2022-1471 CVE-2022-2764 CVE-2022-3782 CVE-2022-3916 CVE-2022-4137 CVE-2022-24785 CVE-2022-25857 CVE-2022-31129 CVE-2022-37603 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751 CVE-2022-40149 CVE-2022-40150 CVE-2022-42003 CVE-2022-42004 CVE-2022-45047 CVE-2022-45693 CVE-2022-46175 CVE-2022-46363 CVE-2022-46364 CVE-2023-0091 CVE-2023-0264 ==================================================================== 1. Summary: New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Single Sign-On 7.6 for RHEL 8 - noarch 3. Description: Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.6.2 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: XSS on impersonation under specific circumstances (CVE-2022-1438) * Moment.js: Path traversal in moment.locale (CVE-2022-24785) * keycloak: missing email notification template allowlist (CVE-2022-1274) * keycloak: minimist: prototype pollution (CVE-2021-44906) * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations (CVE-2022-2764) * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857) * loader-utils: loader-utils:Regular expression denial of service (CVE-2022-37603) * keycloak: Session takeover with OIDC offline refreshtokens (CVE-2022-3916) * keycloak: path traversal via double URL encoding (CVE-2022-3782) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749) * snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751) * snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject (CVE-2022-38750) * keycloak: Client Registration endpoint does not check token revocation (CVE-2023-0091) * keycloak: glob-parent: Regular Expression Denial of Service (CVE-2021-35065) * json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175) * keycloak: keycloak: user impersonation via stolen uuid code (CVE-2023-0264) * snakeyaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471) * CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364) * rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042) * jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos (CVE-2022-45693) * sshd-common: mina-sshd: Java unsafe deserialization vulnerability (CVE-2022-45047) * jettison: memory exhaustion via user-supplied XML or JSON data (CVE-2022-40150) * jettison: parser crash by stackoverflow (CVE-2022-40149) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) * jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040) * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358) * CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363) * keycloak: reflected XSS attack (CVE-2022-4137) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances 2066009 - CVE-2021-44906 minimist: prototype pollution 2072009 - CVE-2022-24785 Moment.js: Path traversal in moment.locale 2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations 2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections 2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode 2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject 2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data 2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow 2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens 2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability 2148496 - CVE-2022-4137 keycloak: reflected XSS attack 2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution 2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration 2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability 2155970 - CVE-2022-45693 jettison: If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method 2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service 2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation 2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code 6. Package List: Red Hat Single Sign-On 7.6 for RHEL 8: Source: rh-sso7-keycloak-18.0.6-1.redhat_00001.1.el8sso.src.rpm noarch: rh-sso7-keycloak-18.0.6-1.redhat_00001.1.el8sso.noarch.rpm rh-sso7-keycloak-server-18.0.6-1.redhat_00001.1.el8sso.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/cve/CVE-2020-11023 https://access.redhat.com/security/cve/CVE-2021-35065 https://access.redhat.com/security/cve/CVE-2021-44906 https://access.redhat.com/security/cve/CVE-2022-1274 https://access.redhat.com/security/cve/CVE-2022-1438 https://access.redhat.com/security/cve/CVE-2022-1471 https://access.redhat.com/security/cve/CVE-2022-2764 https://access.redhat.com/security/cve/CVE-2022-3782 https://access.redhat.com/security/cve/CVE-2022-3916 https://access.redhat.com/security/cve/CVE-2022-4137 https://access.redhat.com/security/cve/CVE-2022-24785 https://access.redhat.com/security/cve/CVE-2022-25857 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-37603 https://access.redhat.com/security/cve/CVE-2022-38749 https://access.redhat.com/security/cve/CVE-2022-38750 https://access.redhat.com/security/cve/CVE-2022-38751 https://access.redhat.com/security/cve/CVE-2022-40149 https://access.redhat.com/security/cve/CVE-2022-40150 https://access.redhat.com/security/cve/CVE-2022-42003 https://access.redhat.com/security/cve/CVE-2022-42004 https://access.redhat.com/security/cve/CVE-2022-45047 https://access.redhat.com/security/cve/CVE-2022-45693 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2022-46363 https://access.redhat.com/security/cve/CVE-2022-46364 https://access.redhat.com/security/cve/CVE-2023-0091 https://access.redhat.com/security/cve/CVE-2023-0264 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY//tydzjgjWX9erEAQi3mRAAl2V/N7ukiujfYBfqFIxjbd79VtL9hlfD ixzJ8bB0hUusxmPINevon76ruf5k39FEAAYDnu1lNTZyY9kxJaigrx1a+EdYz6yV mSKgJ6Feg+k4WIU+lSoY5Dshvq+5KSHnc9qiJOu5wDY6TwHG70WB2DgjCwx82aKG fzAY0OBuo5gF21Nya2BQIJP8b8h3JWlLu5Mq9fZgniwzXq/O8uvyCnIKUuzMGCaN qhFNieWPO707T06X+vY0yHBRIR/D+JrKo22EtszLKOHTP6r2RNPQ4nGiLVAeqg0/ ri5BWi84o1oTBWYkl2h2lt8XKYnryb9HsZxMxHCDglY+4bcgV/owaGclLYUIMwth JFMetBihLrfQNpqkKeeCbZ7nWW2HpM/N4IBxc2cIwUiP4UAHa51WmTdHW8ERt8vF 4KuMu8IuoJdb1eY7S52Y+AFuqctbI0n0QpI00CwncJMij7YbCTWbL0tS7DLYlI9N yzYBNYDJO4PUvfZaukPDMOHsdk56VO5tD19Okk7MKYqhs59OGluOnhCPn4Bc0/Iq vkfWfgtxItk72fC6Ojnvy9lf9hLkAKuP7pb6tFkffSrKQSJXDMkO2HROqES9XGe6 S/dWJWNseuoDSJveH4ot5h8vuU0GztMKaI1lMOU6xMr7jx4cPOss8NmHHCnBaBHY n1OvFU4NzQU=chys -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce