This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.2. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.2 will continue until RH-SSO 7.3 is released, and at that time maintenance will be delivered on RH-SSO 7.3.

Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.

For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability

This update includes all fixes and changes from JBoss EAP 7.2 Update 02.

This update includes fixes for the following security related issues:

ID	Component	Summary
CVE-2017-3523	Server	mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
CVE-2018-1114 JBEAP-14672	Server	File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service

This update includes the following bug fixes or changes:

ID	Component	Summary
JBEAP-14479	Server	Fix Infinispan memory leak
KEYCLOAK-6814		RestartLoginCookie should check for existence of HMAC key
RHSSO-1271 (non-public)		Access to protected resource is not denied on EAP6 + JDK7
RHSSO-1212 (non-public)	Adapters	Fuse 7 adapter support - Tech Preview
RHSSO-1401 (non-public)	Adapters	Servlet filter adapter missing from maven repositories

Installation

For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.2 Patching And Upgrading Guide.

The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.