This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Single On 7.1. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.1 will continue until RH-SSO 7.2 is released, and at that time maintenance will be delivered on RH-SSO 7.2.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.1 Update 02.
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2017-12158 | Server | Admin console vulnerable to reflected XSS using HOST header |
| CVE-2017-12160 | Server | resource privilege extension via access token in oauth |
| CVE-2017-12159 | Server | CSRF token fixation in Keycloak Account Service |
| CVE-2017-12197 | Server | Account check bypass |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| KEYCLOAK-4924 | Protocol - OIDC | Duplicate JWT claims |
| KEYCLOAK-5136 | Server | Browser refresh on registration page fails due to code verification error |
| CLOUD-2019 | Server | Missing bin/client/keycloak-client-registration-cli-2.5.7.Final-redhat-2.jar from Red Hat SSO 7.1 Openshift image |
| RHSSO-1123 (internal) | org.keycloak:keycloak-authz-parent:pom is not released by RH-SSO to maven.repository.redhat.com/ga | |
| KEYCLOAK-5318 | Protocol - SAML | SAML signature verification incorrectly re-applies url-encoding prior to verification |
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.1 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.