-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1662
               Red Hat Single Sign-On 7.3.8 security updates
                                13 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat Single Sign-On 7.3.8
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Modify Arbitrary Files   -- Remote/Unauthenticated      
                   Denial of Service        -- Remote/Unauthenticated      
                   Cross-site Scripting     -- Remote with User Interaction
                   Access Confidential Data -- Existing Account            
                   Unauthorised Access      -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-7226 CVE-2020-6950 CVE-2020-1758
                   CVE-2020-1757 CVE-2020-1724 CVE-2020-1719
                   CVE-2020-1718 CVE-2020-1695 CVE-2019-17573
                   CVE-2019-14900 CVE-2019-10174 CVE-2019-10172
                   CVE-2018-14371 CVE-2016-3720 

Reference:         ASB-2020.0025
                   ESB-2020.1660
                   ESB-2020.1659

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:2113
   https://access.redhat.com/errata/RHSA-2020:2112
   https://access.redhat.com/errata/RHSA-2020:2108
   https://access.redhat.com/errata/RHSA-2020:2107
   https://access.redhat.com/errata/RHSA-2020:2106

Comment: This bulletin contains five (5) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.3.8 security update
Advisory ID:       RHSA-2020:2113-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2113
Issue date:        2020-05-12
CVE Names:         CVE-2018-14371 CVE-2019-10174 CVE-2020-6950 
=====================================================================

1. Summary:

A security update is now available for Red Hat Single Sign-On 7.3 from the
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This asynchronous patch is a security update for the Undertow package in
Red Hat Single Sign-On 7.3.8. 

Security Fix(es):

* infinispan: invokeAccessibly method from ReflectionUtil class allows to
invoke private methods (CVE-2019-10174)

* mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the
loc parameter (CVE-2018-14371)

* Mojarra: Path traversal via either the loc parameter or the con
parameter, incomplete fix of CVE-2018-14371 (CVE-2020-6950)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1607709 - CVE-2018-14371 mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter
1703469 - CVE-2019-10174 infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods
1805006 - CVE-2020-6950 Mojarra: Path traversal via either the loc parameter or the con parameter, incomplete fix of CVE-2018-14371

5. References:

https://access.redhat.com/security/cve/CVE-2018-14371
https://access.redhat.com/security/cve/CVE-2019-10174
https://access.redhat.com/security/cve/CVE-2020-6950
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXrraT9zjgjWX9erEAQgaGQ//ZOD0WL47ABG9jIfNdIoMLPQ+s1wKFzEK
W/0QER6bmuF6u/fd/uBXJVcK0KlOUHTYJQGUhFE1JYg63lF5MeS+AY2DGjGekCQV
fB9YkNV7CSB1IbK09QCbsqgIVvyEw2Kgj1SnyZbJbNM7NJB1gnkN1CqaEXvxGp8O
MTqjtrhwRT9m59ukHpvaAu+XLZ3u5Bx4XE/Q30/ZkNsg6wyHAwSg9cuJir0vUtvN
n8qGWVkE2hHAUdcqEnZEeaNsTDmWr0G9F6WeREOlt9zOpQdBRxc+TfzHzCENNc4Q
/tUAN5XjPwrOPzriNI1CRvcXe0cFgS/Q3bYsbvP1W1jnzBtV5aVrMewrLeHLieaT
Nm/j4EZMIfA8GXgrdQ4wTJTToM3OVW/WkZupO+qF52nNVpGpHoPj0wGNclAYk2NJ
NbRj+10YX0UDOGmUKAbDV+hs+VRE0ZyJ8Ie2yKbQ9SjfJJeNtTGthz2PYgurSzNE
7In8IDNftqLpAWL/cyTrgMvNIGW6yvjK+aCCsqp3Uhv7incBb6ITVpVbjCLsXYUH
I+J/Eqfk7KENGQCEUKoD1KUFxQLEBMA+Z/2G6w8IA5lSdWrmmjoNJ/0GqdODxlFX
sQhtW2UExNb5OMOoSjcfVYwx8r0aE5Y0LPj2kmWH6jgUthV+FlBK1jfa9g3HzSo+
2sC3EmunJo8==w9MO
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.3.8 security update
Advisory ID:       RHSA-2020:2112-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2112
Issue date:        2020-05-12
CVE Names:         CVE-2019-10172 CVE-2019-14900 CVE-2019-17573 
                   CVE-2020-1695 CVE-2020-1718 CVE-2020-1719 
                   CVE-2020-1724 CVE-2020-1757 CVE-2020-1758 
                   CVE-2020-7226 
=====================================================================

1. Summary:

A security update is now available for Red Hat Single Sign-On 7.3 from the
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.8 serves as a replacement for
Red Hat Single Sign-On 7.3.7, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* keycloak: security issue on reset credential flow (CVE-2020-1718)

* undertow: servletPath is normalized incorrectly leading to dangerous
application mapping which could result in security bypass (CVE-2020-1757)

* jackson-mapper-asl: XML external entity similar to CVE-2016-3720
(CVE-2019-10172)

* hibernate: SQL injection issue in Hibernate ORM (CVE-2019-14900)

* cxf: reflected XSS in the services listing page (CVE-2019-17573)

* resteasy: Improper validation of response header in
MediaTypeHeaderDelegate.java class (CVE-2020-1695)

* Wildfly: EJBContext principal is not popped back after invoking another
EJB using a different Security Domain (CVE-2020-1719)

* keycloak: improper verification of certificate with host mismatch could
result in information disclosure (CVE-2020-1758)

* cryptacular: excessive memory allocation during a decode operation
(CVE-2020-7226)

* keycloak: problem with privacy after user logout (CVE-2020-1724)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1666499 - CVE-2019-14900 hibernate: SQL injection issue in Hibernate ORM
1715075 - CVE-2019-10172 jackson-mapper-asl: XML external entity similar to CVE-2016-3720
1730462 - CVE-2020-1695 resteasy: Improper validation of response header in MediaTypeHeaderDelegate.java class
1752770 - CVE-2020-1757 undertow: servletPath is normalized incorrectly leading to dangerous application mapping which could result in security bypass
1796617 - CVE-2020-1719 Wildfly: EJBContext principal is not popped back after invoking another EJB using a different Security Domain
1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
1797011 - CVE-2019-17573 cxf: reflected XSS in the services listing page
1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
1801380 - CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation
1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure

5. References:

https://access.redhat.com/security/cve/CVE-2019-10172
https://access.redhat.com/security/cve/CVE-2019-14900
https://access.redhat.com/security/cve/CVE-2019-17573
https://access.redhat.com/security/cve/CVE-2020-1695
https://access.redhat.com/security/cve/CVE-2020-1718
https://access.redhat.com/security/cve/CVE-2020-1719
https://access.redhat.com/security/cve/CVE-2020-1724
https://access.redhat.com/security/cve/CVE-2020-1757
https://access.redhat.com/security/cve/CVE-2020-1758
https://access.redhat.com/security/cve/CVE-2020-7226
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXrraStzjgjWX9erEAQjGGA/9H+0mP7aNzf3QiX+wiwuKCODpzIctTO18
UvyIux7XIxiatyb65qegnQi307KWyb0hYxNdocnI1m08tz8Lp+qebtkJmJSy3Ngt
OgnQXQmFUqw/jjoK00sbYeOOUC+NxPE85yh+ooIsyuvS8WBYuFHBlXlxa029SVc9
igTxQ7GXB1+/Ku8vXBkIsc+YC4t3lGHtUnMZS48fDmyMM0NcDEX+b5kwJXiKrIGm
80j25g1P72Y84DRF2/7c64J/xwwwQrotZ30px1ZmjlclrpPT7XQ2TuFQVxilZh9X
F8e/0Gih1rDsRy7Xza5X+bmnT5Cq16nBVR7wnKvFlDk0ITd2OcbqUxCYUrbsfHU4
91oettbysDViIWsPbM91V1NGTHMC070mQsJ/lmwAy9XOHQFalgAWrVIhkvMOH8O9
a/0A0+KsjSOlBYk6f+YzSzzgfRG9oQ4Bc2NADj56B0BSWX/FLajA4JNuijOJNmUd
P54fBKKJRQ0w1Td0oQs/DrIwkdMpsz3kRP/c8k+aJNpZ7IDILIPopdpsaCOUGgGn
9UTzdqVAKFPtI4l5iLEI3jB9SvFfSXwDjHDCpw6RlcEYxiKL4TBWW9VCUocAAOz0
2UWHRKVztrtRznKVq9EZ8jkGwK8ybgZpfV1DrcaGCtzzEKoVRd3XTs9ljfrrfnnj
ViMG5m2vpXo==aH/+
- -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 8
Advisory ID:       RHSA-2020:2108-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2108
Issue date:        2020-05-12
CVE Names:         CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 
=====================================================================

1. Summary:

New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat
Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives
a detailed severity rating, is available for each vulnerability from the
CVE
link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.3 for RHEL 8 - noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.8 on RHEL 8 serves as a
replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* keycloak: security issue on reset credential flow (CVE-2020-1718)

* keycloak: improper verification of certificate with host mismatch could
result in information disclosure (CVE-2020-1758)

* keycloak: problem with privacy after user logout (CVE-2020-1724)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure

6. JIRA issues fixed (https://issues.jboss.org/):

KEYCLOAK-13799 - Create RPMs for the RH-SSO 7.3.8 release for RHEL8

7. Package List:

Red Hat Single Sign-On 7.3 for RHEL 8:

Source:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el8sso.src.rpm

noarch:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el8sso.noarch.rpm
rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el8sso.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-1718
https://access.redhat.com/security/cve/CVE-2020-1724
https://access.redhat.com/security/cve/CVE-2020-1758
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXrrRo9zjgjWX9erEAQi+xg//YmyjtTUAB0O3o0E7jUA08dPR7oCmhP5i
B6pi2tEwGVFSulV00I9T71QAdhmBtR7WjDlyyqj3KX/wLqXGntQBsYfB6Wi+6DGN
jr3XgLgUa3DpTD/rnPHOZ+T0RkeiLK+T3iksBdn6vJhUjH+ati3Tc2v1a6VOmbDA
1SoHj4+3iQydphtkK9J6T76mWNGVlWBvlvFGwkamY0yE+xJX3+AdLrEm4L+5x/px
xWhT5HZVkZCA++y2pBlE6ANG9Y4tRHVtDMaXmHBSBJGiTcyFkyoU0r4R/JqeMYSQ
BE+thU5wqbfVtDtrTYhMpYOnn/K1wBafTy91RBmk/t309cTGDw/oEiFJ6e/aiDtP
1f2rhAkHUcS1mUhXMyadWZP/Szvfxmh+XCqSP+YB4rdOqOkm55ZMFWjp29lqZsab
8Mjxuai79om2FsCT2Me5o6VkA0/ACyDosn6hChoq2+wd5cThTqwR78vYdt/gj6Hc
VfmAtORnAZrfwgqpaKGzmF4fe/8uQIHZthhc8lqY3BkWDERienTB8nk2VlhVborV
2gfMFxxRZaNIAhOZVI6Tnmk1hm0Lg1waj+ATMdTp8Y5P+OT7DFX4E1tpfE9hjk6X
KoWRjH0HU6YwVOBfPBIcztNa1aPWuVtE2EIa7RA4G1bpN7FLMH+OttyCH+mDLiEA
Z3d0bsyOrQI==O8ah
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 7
Advisory ID:       RHSA-2020:2107-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2107
Issue date:        2020-05-12
CVE Names:         CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 
=====================================================================

1. Summary:

New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat
Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.3 for RHEL 7 Server - noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.8 on RHEL 7 serves as a
replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* keycloak: security issue on reset credential flow (CVE-2020-1718)

* keycloak: improper verification of certificate with host mismatch could
result in information disclosure (CVE-2020-1758)

* keycloak: problem with privacy after user logout (CVE-2020-1724)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure

6. JIRA issues fixed (https://issues.jboss.org/):

KEYCLOAK-13798 - Create RPMs for the RH-SSO 7.3.8 release for RHEL7

7. Package List:

Red Hat Single Sign-On 7.3 for RHEL 7 Server:

Source:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el7sso.src.rpm

noarch:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el7sso.noarch.rpm
rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el7sso.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-1718
https://access.redhat.com/security/cve/CVE-2020-1724
https://access.redhat.com/security/cve/CVE-2020-1758
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXrrRYtzjgjWX9erEAQiirQ/9GFUny3eLV+Yi1D9VIc7qHuXT0gnF377Y
n6zEyAwFEdla3xuabaTzWnhZsuSZiyMk4gyX2JFDZ9Ta0yCCERh4hk/RMuPqyasL
zChISSBacpSOTq4kn7o1HxfeMv8KaUvBboB2+PZE3yjtIAkYt5dySoSyxfrQ3epr
oLmTZ0pAI777/qEAfr0iFrAP2dCcudGKpb8wz67HqI4s2vxUy9Vdrmyr/ThSrcP7
KAz/WO6PElyp94oc14eKrrPO1YyUnY05FHTQzuii1f4TnuUpF2E/w7XmrXR4YBUy
2be5oQlFAjjPmEfKMofl85Xrz2nvTOgEitfgX+YVZcV8kYcBJdX/sTYPFFP3D5eX
3JcT7mzFIjI8F0vBgPKjsrVHJYcgAVsfTWetNbvYe/zE5oJc1qh1va0xoibYvON+
3XtmaYn/R2XC9PXRTKwHTBxDfRbVsPaBDiBUnsvKL47sMUkkoSB0LfSMHtwCrkWJ
48yzU2Np/S6ka/Xo8r/V+JRrSJLhQJoOySMutsGI9y+nv6+wBu/6Jdryade2sX+Z
BkBad3qtUIdyC8l9JxmIT0R5BJmF4+7zm60ctxsfgUldPoREP+wN4GH4EiKrA4Kn
msUA649dPkaEs3T7ejgP8ahp8USUS3rZGUZpiQZZESqbNhCX9p2jV1jNVFsdECWG
zOlhRFuo2V0==NGWE
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.3.8 security update on RHEL 6
Advisory ID:       RHSA-2020:2106-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2106
Issue date:        2020-05-12
CVE Names:         CVE-2020-1718 CVE-2020-1724 CVE-2020-1758 
=====================================================================

1. Summary:

New Red Hat Single Sign-On 7.3.8 packages are now available for Red Hat
Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.3 for RHEL 6 Server - noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.8 on RHEL 6 serves as a
replacement for Red Hat Single Sign-On 7.3.7, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* keycloak: security issue on reset credential flow (CVE-2020-1718)

* keycloak: improper verification of certificate with host mismatch could
result in information disclosure (CVE-2020-1758)

* keycloak: problem with privacy after user logout (CVE-2020-1724)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1796756 - CVE-2020-1718 keycloak: security issue on reset credential flow
1800527 - CVE-2020-1724 keycloak: problem with privacy after user logout
1812514 - CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure

6. JIRA issues fixed (https://issues.jboss.org/):

KEYCLOAK-13797 - Create RPMs for the RH-SSO 7.3.8 release for RHEL6

7. Package List:

Red Hat Single Sign-On 7.3 for RHEL 6 Server:

Source:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el6sso.src.rpm

noarch:
rh-sso7-keycloak-4.8.20-1.Final_redhat_00001.1.el6sso.noarch.rpm
rh-sso7-keycloak-server-4.8.20-1.Final_redhat_00001.1.el6sso.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2020-1718
https://access.redhat.com/security/cve/CVE-2020-1724
https://access.redhat.com/security/cve/CVE-2020-1758
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXrrRntzjgjWX9erEAQgBWRAAnqSzYpDyJMCXsKin1SxPhnRXtDf0Fvw9
b6u32OoXwmbVx/ejhlrAuZt5ykM1kYUkMBaMe3dmNIRlcTe7NFxRJtjw/UURO/Bj
3GLjUX6wgnZKjd13mHmkbnm48A/6lhpuDo2+NdM8aeuWc/USyj2VSbmWp79JqmuV
vvNiFXhIFO2IvVfmJJ2BqVfrc53nk61ZUhyXXEW+UspwIQsKHLb7vLxHyz6lGpZO
chf3O4zVUKky5dWZuT2w2pDV2I1ROOdVwSntTLmML9Q6IzgGdrWzoQlxMBk4Z+oA
Ww8XLGwHJ4E6e0/0SLVb26nwBupRk8CtDaf41rNGIlMysDLcbHMrHkgNUsUKeAzl
NlyvzJFxn7mV3NTsfaM8adOu4S6+9J1oWmgNeO54d5i01nJjCTIkLryrjjqzU/v1
xwPIiMMoGaJweKd2tok0NafdXi4gzPvNRmG8IyBpb+FV6H3CHci0WD5vUNwD3qZD
0/S3oCFe87Mcef3fffoKb5cjtZQ4JDWeKBo0znUtbBUwWL7RqpTc9k4b1xgSu2nc
IGrWboUtoKO99Fyz7v0jWHD4MSx8in+Jk9zXRZtB/4waAJhRPKkC+Wt5+t80ue+T
obRp/nLwopi+yw6y4TbIm1qmshwjhbnK6noewSzcRRmxkR1ngrnWFZrJNnJb9fDF
xA5Pov0IYws==Arda
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXrs3cGaOgq3Tt24GAQjOUhAApD5YHl8ij8SEsxMffrE4QGaMhiK5QBVd
3S5mefbV+l+hynTdy1PFIHQqeEEIniwxdgshyTGI0wDvSK+ROXAOP9nSo9PLR+tr
b3VENqMDeZAizr0YQEMzh8yRHJ0MBzclysetnr7ngouXJscivojFp9oF+rF+VkfB
Ymob/2EyEU/ZOZiAV+vbkIxKNWmdZDWcI7dAWajWtJE7P0746upLs1Ztk3wkmOq1
KRvum2QmAT6Mw8DkMU7GhZkp9rDUT7TVY9jB+6YNmUBz+VR3gJ5+y9RFrex0BoG6
ltasihxq4LIiAXfcnk5AfVSJFol7NmRRWyTsrkhWm01dhIgtck8b57IKuMlXRJfg
2ebHfyihGwLrV0LfR/rwknppfGyXZmLiqE8LR1RZ2MNt2ezhG7MQfpsOGbAnvD7S
NQ2DEm5reZvcPh6unCZVNrFgs/Rl9RTcTYA/dc6chBE4KOf6+etP6rNC01/Sl+Jj
uDzg05X4ZrmM2ejb9nDdo/Qfix9y0N6XQe9pvjmzR9K8V84Scvu4zgR3STU66WS/
B1Rfctikm1vc7EPrgvY4mb48pnKHVCM87PM9MT3oyMFiE7WDeueayZCwpu8P52Z2
eF1jBqxhAPcSuRjUKN75q6Bu8aZoNvOekqYdsN330Yb/saFpqW3eQyIEVnRp8jQl
dnSkGKsKVI8=
=Jlk6
-----END PGP SIGNATURE-----