Mehrere Probleme in Red Hat Single Sign-On
ID: | RHSA-2019:1456-01 |
Distribution: | Red Hat |
Plattformen: | Red Hat Single Sign-On |
Datum: | Di, 11. Juni 2019, 22:16 |
Referenzen: | https://access.redhat.com/security/cve/CVE-2018-14041
https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2019-10157 https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2019-3873 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2019-3872 https://access.redhat.com/security/cve/CVE-2019-8331 |
Applikationen: | Red Hat Single Sign-On |
Originalnachricht |
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat Single Sign-On 7.3.2 security update Advisory ID: RHSA-2019:1456-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2019:1456 Issue date: 2019-06-11 CVE Names: CVE-2016-10735 CVE-2018-14041 CVE-2018-20676 CVE-2018-20677 CVE-2019-3872 CVE-2019-3873 CVE-2019-3875 CVE-2019-3888 CVE-2019-8331 CVE-2019-10157 CVE-2019-11358 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.2 serves as a replacement for Red Hat Single Sign-On 7.3.1, and includes bug fixes and enhancements, which are documented in the Release Notes document. Security Fix(es): * bootstrap: XSS in the data-target attribute (CVE-2016-10735) * bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy (CVE-2018-14041) * bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676) * bootstrap: XSS in the affix configuration target property (CVE-2018-20677) * picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872) * picketlink: URL injection via xinclude parameter (CVE-2019-3873) * keycloak: X.509 authentication: CRL signatures are not verified (CVE-2019-3875) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331) * keycloak: Node.js adapter internal NBF can be manipulated (CVE-2019-10157) * js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1601616 - CVE-2018-14041 bootstrap: Cross-site Scripting (XSS) in the data-target property of scrollspy 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1688966 - CVE-2019-3872 picketlink: reflected XSS in SAMLRequest via RelayState parameter 1689014 - CVE-2019-3873 picketlink: URL injection via xinclude parameter 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1693777 - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed 1701972 - CVE-2019-11358 js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection 1702953 - CVE-2019-10157 keycloak: Node.js adapter internal NBF can be manipulated leading to DoS. 5. References: https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14041 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-3872 https://access.redhat.com/security/cve/CVE-2019-3873 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-3888 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-10157 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 6. Contact: The Red Hat security contact is |