This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.2. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.2 will continue until RH-SSO 7.3 is released, and at that time maintenance will be delivered on RH-SSO 7.3.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.2 Update 04.
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| KEYCLOAK-7094 | Adapters - JBoss EAP | SAML Logout not working when the logout-page is a protected resource |
| CVE-2018-10912 | Server | Replace command might fail and cause endless loop when cache owners >= 2 |
| CVE-2017-12624 | Server (EAP) | cxf: Improper size validation in message attachment header for JAX-WS and JAX-RS services |
| CVE-2018-10237 | Server (EAP) | guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service |
| CVE-2018-1000180 | Server (EAP) | bouncycastle: flaw in the low-level interface to RSA key pair generator |
| CVE-2018-10862 | Server (EAP) | wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) |
| CVE-2018-8039 | Server (EAP) | apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| KEYCLOAK-7745 | JTA error if offline sessions can't be preloaded at startup within 5 minutes | |
| KEYCLOAK-7634 | Unable to export clients created on RH-SSO 7.1 after upgrade to RH-SSO 7.2 | |
| KEYCLOAK-4976 | AbstractUserAdapterFederatedStorage.setSingleAttribute(,) causing deadlocks on MSSQL | |
| KEYCLOAK-7667 | Protocol - SAML | Encrypted saml results in 'The prefix "ds" for element "ds:KeyInfo" is not bound' error when namespace declared prior to EncryptedData element |
| KEYCLOAK-7316 | Protocol - SAML | NPE when SAML AuthnRequest does not contain optional IsPassive attribute |
| KEYCLOAK-7331 | Protocol - SAML | NPE when SAML AuthnRequest does not contain optional Issuer field |
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.2 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.