[RHSA-2019:3048-01] Low: RH-SSO 7.3.4 adapters for Enterprise Application Platform 6 security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Mon Oct 14 18:33:14 UTC 2019 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: RH-SSO 7.3.4 adapters for Enterprise Application Platform 6 security update
Advisory ID:       RHSA-2019:3048-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3048
Issue date:        2019-10-14
CVE Names:         CVE-2019-14820 
=====================================================================

1. Summary:

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBoss
Enterprise Application Platform 6.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server - noarch
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server - noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

These packages provide security updates to adapters for use with Red Hat
Single Sign-On 7.3.4 for Red Hat JBoss Enterprise Application Platform 6.

Security Fix(es):

* keycloak: adapter endpoints are exposed via arbitrary URLs
(CVE-2019-14820)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server:

Source:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.src.rpm

noarch:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.noarch.rpm
keycloak-saml-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server:

Source:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.src.rpm

noarch:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.noarch.rpm
keycloak-saml-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-14820
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

8. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXaS/Z9zjgjWX9erEAQjtxw/7Bu6V42F7CXOxFRl233Y/Rj2XmifdzDMh
JLY9Ir36eivJFz3F/fScPfgxR3H5hZaAqW7N8piZbcH3fEgi7aNbr+AXxIIpeU3w
2hQa6nIDYqDRyeE4KKIzdqCW+ktaD+TdgzbhpPr8qLP6IVrLxiOc2WFFki5HG9+K
cTuC7rszXrDSsQdVR/0+ItRlCVmd529m6vR+BNJeccUvfutk+hXZGPEUFKIp1Rkq
sjMf79ILS0m5wLTLhX22HIgutPpipGs3EhKWI9JKsfX4GnIML2XSK1mnWqrVklEj
IGwFjQKvnMjWBllvp5jJsg1zih9VyqZXx2xcu0npbt8n2Msahvd3pw/i0PIaeATY
RLogpAFS+vohCQvBTdFPDHuShMaQx4drh+FJMa5XWDsAMGQl2rj7S2pAfVyVMETm
g55sJ9Kk4qSfmwWwbk5Mrf8XK5bE2oQGmLDFNFa7UAL5nfxpnA4Uy+i6ifYH6Dsz
bqhZICefzFxC9wc+0Gdmn5SxoA6M/IWt5KxffIvfuChPNnjYCAbs8ephU2lMQWIZ
PHpFtUj7PSM6muwMqtsTzA4H+ocbTW+TP6f4Oz3uaFVHHZ20NrW01/QSolEH9IEE
ud5H7Ga42CB5Ur+h92fUy0Ls9zqDbG/G4FhBkHfcG2yCkZWJ8IvCl7JuIk9m6nsB
TPC9+ysTqVM=
=tjAM
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list