[RHSA-2023:3892-01] Important: Red Hat Single Sign-On 7.6.4 security update

Security announcements for all Red Hat products and services. rhsa-announce at redhat.com
Tue Jun 27 21:50:14 UTC 2023 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.6.4 security update
Advisory ID:       RHSA-2023:3892-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3892
Issue date:        2023-06-27
CVE Names:         CVE-2021-39144 CVE-2022-4361 CVE-2023-1108 
                   CVE-2023-1664 CVE-2023-2422 CVE-2023-2585 
=====================================================================

1. Summary:

A security update is now available for Red Hat Single Sign-On 7.6 from the
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.6.4 serves as a replacement for
Red Hat Single Sign-On 7.6.3, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.

Security Fix(es):

* keycloak: Cross-site scripting when validating URI-schemes on SAML and
OIDC (CVE-2022-4361)

* keycloak: oauth client impersonation (CVE-2023-2422)

* keycloak: Untrusted Certificate Validation (CVE-2023-1664)

* undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

* keycloak: client access via device auth request spoof (CVE-2023-2585)

* xstream: Arbitrary code execution via unsafe deserialization of
sun.tracing.* (CVE-2021-39144)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1997772 - CVE-2021-39144 xstream: Arbitrary code execution via unsafe deserialization of sun.tracing.*
2151618 - CVE-2022-4361 Keycloak | RHSSO: XSS due to lax URI scheme validation
2174246 - CVE-2023-1108 Undertow: Infinite loop in SslConduit during close
2182196 - CVE-2023-1664 keycloak: Untrusted Certificate Validation
2191668 - CVE-2023-2422 keycloak: oauth client impersonation
2196335 - CVE-2023-2585 keycloak: client access via device auth request spoof

5. References:

https://access.redhat.com/security/cve/CVE-2021-39144
https://access.redhat.com/security/cve/CVE-2022-4361
https://access.redhat.com/security/cve/CVE-2023-1108
https://access.redhat.com/security/cve/CVE-2023-1664
https://access.redhat.com/security/cve/CVE-2023-2422
https://access.redhat.com/security/cve/CVE-2023-2585
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZJtZltzjgjWX9erEAQjp7w/+PVnQj3iscLy7t8uh2ALC/EOE+uD+oOZl
sDUfI7n5uPLq1NidzM2PL7jc1fEIYHVZfU8siqOZCkKXkb+QG0rxliynGbggvQCW
KpcgN6kFk94nF9h1TGGdXAvo+POj3dWy98Vl6+i2lwYWro3WeWl+Szayr8FjNXPp
0dS6hAQQt889edUgYj5s2tpSfaYQNqLhKNNnjyJKrWr8k3qpc+Va1A/i2eXeXDdr
O6esc6NE4apHmKFc9rWMSlct8Yzi37K+dCybjgI+u93tOwB8N4DWtBun27DagQYB
Cc3GTgWyczMSKBNi6e9C86VvJ1c5jvAQ5DIJ1ez+OO41D6qQkhwtg8WG7GIF/MFH
LcdOfk4arzEsVd1G5vkU/tiGRUChUeyu9xm7k57M/454qP5AmDUdPQSvgqmgWwBM
cwKx0YkxMl5qSRSVDxEjD9CzcfDz6b+YvTxaFb8C3IRUhYwsuoy7kdMJ8vuY6rj0
IDAJ7zC1sVb5FKR4E23Fp9Ma7M0+lUV87Y3UF1fE1pswQQ/aJu2q3k+N5PLM+9A7
q2ZhNEic6CBU8DoRBeU/JVM8j+bEgM17Bf98A1rebQdfLQ8Dd2sF7ngEuO7dLGgD
LNqaHScdEl14Nq6xAUV5VmjKq+k4n+nWfl20aFddDH9b1afhlmAR55SNvK75Eud3
prjQ1em3Iw8=
=qI1p
-----END PGP SIGNATURE-----

More information about the RHSA-announce mailing list