Headline
RHSA-2018:2428: Red Hat Security Advisory: Red Hat Single Sign-On 7.2.4 security update
A security update is now available for Red Hat Single Sign-On 7.2 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [2021-07-07 UPDATE: The advisory was originally published with incomplete informational links and has been republished to update those links. NO CODE HAS CHANGED WITH THIS UPDATE, AND NO ACTION IS REQUIRED.]Red Hat Single Sign-On 7.2 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.2.4 serves as a replacement for Red Hat Single Sign-On 7.2.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es):
- guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237)
- bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180)
- cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services (CVE-2017-12624)
- wildfly: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (CVE-2018-10862)
- cxf-core: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039)
- keycloak: infinite loop in session replacement leading to denial of service (CVE-2018-10912) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Related CVEs:
- CVE-2017-12624: cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services
- CVE-2018-8039: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.*
- CVE-2018-10237: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
- CVE-2018-10862: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip)
- CVE-2018-10912: keycloak: infinite loop in session replacement leading to denial of service
- CVE-2018-1000180: bouncycastle: flaw in the low-level interface to RSA key pair generator