[RHSA-2017:0872-01] Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6

bugzilla at redhat.com bugzilla at redhat.com
Tue Apr 4 17:28:15 UTC 2017 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat Single Sign-On 7.1 update on RHEL 6
Advisory ID:       RHSA-2017:0872-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:0872
Issue date:        2017-04-04
CVE Names:         CVE-2016-8629 CVE-2016-9589 CVE-2017-2585 
=====================================================================

1. Summary:

Red Hat Single Sign-On 7.1 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.1 for RHEL 6 Server - noarch, x86_64

3. Description:

Red Hat Single Sign-On is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.1 serves as a replacement for Red
Hat Single Sign-On 7.0, and includes several bug fixes and enhancements.
For further information regarding those, refer to the Release Notes linked
to in the References section.

Security Fix(es):

* It was found that keycloak did not correctly check permissions when
handling service account user deletion requests sent to the REST server. An
attacker with service account authentication could use this flaw to bypass
normal permissions and delete users in a separate realm. (CVE-2016-8629)

* It was found that JBoss EAP 7 Header Cache was inefficient. An attacker
could use this flaw to cause a denial of service attack. (CVE-2016-9589)

* It was found that keycloak's implementation of HMAC verification for JWS
tokens uses a method that runs in non-constant time, potentially leaving
the application vulnerable to timing attacks. (CVE-2017-2585)

Red Hat would like to thank Gabriel Lavoie (Halogen Software) for reporting
CVE-2016-9589 and Richard Kettelerij (Mindloops) for reporting
CVE-2017-2585.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1388988 - CVE-2016-8629 keycloak: user deletion via incorrect permissions check
1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage
1412376 - CVE-2017-2585 keycloak: timing attack in JWS signature verification

6. JIRA issues fixed (https://issues.jboss.org/):

RHSSO-427 - Tracker bug for the RH-SSO 7.1.0 release for RHEL-6

7. Package List:

Red Hat Single Sign-On 7.1 for RHEL 6 Server:

Source:
rh-sso7-1-2.jbcs.el6.src.rpm
rh-sso7-freemarker-2.3.23-1.redhat_2.2.jbcs.el6.src.rpm
rh-sso7-javapackages-tools-3.4.1-5.15.3.jbcs.el6.src.rpm
rh-sso7-keycloak-2.5.5-2.Final_redhat_1.1.jbcs.el6.src.rpm
rh-sso7-libunix-dbus-java-0.8.0-2.jbcs.el6.src.rpm
rh-sso7-liquibase-3.4.1-2.redhat_2.1.jbcs.el6.src.rpm
rh-sso7-twitter4j-4.0.4-1.redhat_3.1.jbcs.el6.src.rpm
rh-sso7-zxing-3.2.1-1.redhat_4.1.jbcs.el6.src.rpm

noarch:
rh-sso7-freemarker-2.3.23-1.redhat_2.2.jbcs.el6.noarch.rpm
rh-sso7-javapackages-tools-3.4.1-5.15.3.jbcs.el6.noarch.rpm
rh-sso7-keycloak-2.5.5-2.Final_redhat_1.1.jbcs.el6.noarch.rpm
rh-sso7-keycloak-server-2.5.5-2.Final_redhat_1.1.jbcs.el6.noarch.rpm
rh-sso7-liquibase-3.4.1-2.redhat_2.1.jbcs.el6.noarch.rpm
rh-sso7-liquibase-core-3.4.1-2.redhat_2.1.jbcs.el6.noarch.rpm
rh-sso7-python-javapackages-3.4.1-5.15.3.jbcs.el6.noarch.rpm
rh-sso7-twitter4j-4.0.4-1.redhat_3.1.jbcs.el6.noarch.rpm
rh-sso7-twitter4j-core-4.0.4-1.redhat_3.1.jbcs.el6.noarch.rpm
rh-sso7-zxing-3.2.1-1.redhat_4.1.jbcs.el6.noarch.rpm
rh-sso7-zxing-core-3.2.1-1.redhat_4.1.jbcs.el6.noarch.rpm
rh-sso7-zxing-javase-3.2.1-1.redhat_4.1.jbcs.el6.noarch.rpm

x86_64:
rh-sso7-1-2.jbcs.el6.x86_64.rpm
rh-sso7-libunix-dbus-java-0.8.0-2.jbcs.el6.x86_64.rpm
rh-sso7-libunix-dbus-java-debuginfo-0.8.0-2.jbcs.el6.x86_64.rpm
rh-sso7-libunix-dbus-java-devel-0.8.0-2.jbcs.el6.x86_64.rpm
rh-sso7-runtime-1-2.jbcs.el6.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2016-8629
https://access.redhat.com/security/cve/CVE-2016-9589
https://access.redhat.com/security/cve/CVE-2017-2585
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/

9. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFY49eoXlSAg2UNWIIRApPlAJ9usN8rgpxTNN7EOfVquJm59+hfuACfeaOU
zZeRDSbUkmbyR8qTdTW3ZQo=
=rpjs
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list