Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2019:1140: Red Hat Security Advisory: Red Hat Single Sign-On 7.3.1 security update

A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [2021-07-07 UPDATE: The advisory was originally published with incomplete informational links and has been republished to update those links. NO CODE HAS CHANGED WITH THIS UPDATE, AND NO ACTION IS REQUIRED.]Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.1 serves as a replacement for Red Hat Single Sign-On 7.3.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):

  • keycloak: session hijack using the user access token (CVE-2019-3868)
  • jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)
  • jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)
  • jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)
  • undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)
  • jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
  • jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
  • wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)
  • wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
  • CVE-2018-11307: jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
  • CVE-2018-12022: jackson-databind: improper polymorphic deserialization of types from Jodd-db library
  • CVE-2018-12023: jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
  • CVE-2018-14642: undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer
  • CVE-2018-14720: jackson-databind: exfiltration/XXE in some JDK classes
  • CVE-2018-14721: jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
  • CVE-2019-3805: wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
  • CVE-2019-3868: keycloak: session hijack using the user access token
  • CVE-2019-3894: wildfly: wrong SecurityIdentity for EE concurrency threads that are reused
Red Hat Security Data
#vulnerability#web#red_hat#java#oracle#oracle

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update