Mehrere Probleme in Red Hat Single Sign-On
ID: | RHSA-2019:1140-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat Single Sign-On |
Datum: | Do, 9. Mai 2019, 23:46 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2018-14642
https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.3 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2019-3894 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 |
Applikationen: | Red Hat Single Sign-On |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.1 security update Advisory ID: RHSA-2019:1140-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2019:1140 Issue date: 2019-05-09 CVE Names: CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14642 CVE-2018-14720 CVE-2018-14721 CVE-2019-3805 CVE-2019-3868 CVE-2019-3894 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.1 serves as a replacement for Red Hat Single Sign-On 7.3.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: session hijack using the user access token (CVE-2019-3868) * jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307) * jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022) * jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023) * undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642) * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720) * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) * wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1679144 - CVE-2019-3868 keycloak: session hijack using the user access token 1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused 5. References: https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14642 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2019-3894 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 6. Contact: The Red Hat security contact is |