This software patch resolves a number of security defects and customer reported bugs in Red Hat Single Sign-On 7.2. RH-SSO will deliver patches on a repeating schedule to resolve security defects and customer reported bugs. Fixes for RH-SSO 7.2 will continue until RH-SSO 7.3 is released, and at that time maintenance will be delivered on RH-SSO 7.3.
Updated client adapters are released as needed to resolve customer reported issues or security fixes. The adapters are released as needed so often a given cumulative patch version will not have an associated client adapter for all products.
For more information on which client adapters are tested and supported with Red Hat Single Sign-On versions see: Red Hat Single Sign-On adapter and server compatability
This update includes all fixes and changes from Red Hat Single Sign-On 7.2 Update 04.
Red Hat Single Sign-On Server component also includes Red Hat JBoss Enterprise Application Platform and this update includes JBoss Enterprise Application Platform 7.1 Update 5. See the JBoss Enterprise Application Platform 7.1 Update 5 Release Notes for a list of changes included in that release.
This update includes fixes for the following security related issues:
| ID | Component | Summary |
|---|---|---|
| CVE-2018-10894 | Server | auth permitted with expired certs in SAML client |
| CVE-2018-14657 | Server | brute force protection not working for the entire login workflow |
| CVE-2018-14655 | Server | XSS-Vulnerability with response_mode=form_post |
| CVE-2018-14658 | Server | Open Redirect in Login and Logout |
This update includes the following bug fixes or changes:
| ID | Component | Summary |
|---|---|---|
| RHSSO-1626 (no public issue) | Server | Realm partial export does no permission/role check |
| KEYCLOAK-6980 | Protocol - OIDC | RH-SSO does not check for already used JWT client_assertion (OIDC private_key_jwt) |
| KEYCLOAK-8218 | Protocol - SAML | BaseSAML2BindingBuilder cleans URL parameters in a SAML provider |
| KEYCLOAK-6803 | Server | Sign-up error with custom UserStorageProvider |
| RHSSO-1305 (no public issue) | Distribution | Upgrade RPM version to 7.2 fails |
| KEYCLOAK-6757 | Server | Migrate from Microsoft live API to Microsoft Graph due to deprecation this year |
| KEYCLOAK-6038 | Automated test for Kerberos cross-realm trust | |
| KEYCLOAK-7943 | RH-SSO admin console allows the Property setting on a SAML User Property mapper to be empty/blank | |
| KEYCLOAK-7944 | Server | Fail to create a primary key on (USER_SESSION_ID, CLIENT_ID, OFFLINE_FLAG) when migrating to 7.2 |
| KEYCLOAK-7975 | updating execution with Oracle DB causes unique constraint (DBALLO00.CONSTRAINT_AUTH_CFG_PK) violated | |
| KEYCLOAK-8080 | Update Realm Events Config doesn't create an admin event | |
| KEYCLOAK-4743 | ReCAPTCHA and Social Identity providers behind web proxy | |
| KEYCLOAK-8101 | Adapters - Fuse | NPE in PathBasedKeycloakConfigResolver when cache is empty |
| KEYCLOAK-6962 | Distribution | Incorrect rpm group name for rhel 6 and 7 in cdn |
| RHSSO-1266 (no public issue) | Protocol - SAML | Cannot parse SAML status message with StatusDetail |
For instructions on applying Red Hat Single Sign-On cumulative patch (also referred to as a Micro Release) see Micro Upgrades in Red Hat Single Sign-On 7.2 Patching And Upgrading Guide.
The adapters are distributed as a full release which is intended to replace the existing adapter. Full details are available in Upgrading Red Hat Single Sign-On Adapters.