Headline
RHSA-2019:1140: Red Hat Security Advisory: Red Hat Single Sign-On 7.3.1 security update
A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [2021-07-07 UPDATE: The advisory was originally published with incomplete informational links and has been republished to update those links. NO CODE HAS CHANGED WITH THIS UPDATE, AND NO ACTION IS REQUIRED.]Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.1 serves as a replacement for Red Hat Single Sign-On 7.3.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):
- keycloak: session hijack using the user access token (CVE-2019-3868)
- jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
- jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
- jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
- undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)
- jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
- jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
- wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
- wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
- CVE-2018-11307: jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
- CVE-2018-12022: jackson-databind: improper polymorphic deserialization of types from Jodd-db library
- CVE-2018-12023: jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
- CVE-2018-14642: undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer
- CVE-2018-14720: jackson-databind: exfiltration/XXE in some JDK classes
- CVE-2018-14721: jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
- CVE-2019-3805: wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
- CVE-2019-3868: keycloak: session hijack using the user access token
- CVE-2019-3894: wildfly: wrong SecurityIdentity for EE concurrency threads that are reused