what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Red Hat Security Advisory 2017-0873-01

Red Hat Security Advisory 2017-0873-01
Posted Apr 5, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-0873-01 - Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.1 serves as a replacement for Red Hat Single Sign-On 7.0, and includes several bug fixes and enhancements. For further information regarding those, refer to the Release Notes linked to in the References section. Multiple security issues have been addressed.

tags | advisory, web
systems | linux, redhat
advisories | CVE-2016-8629, CVE-2016-9589, CVE-2017-2585
SHA-256 | 79f1397e335da631c141ff1aceaea694a1d27061d7e149de62d949b51682f823

Red Hat Security Advisory 2017-0873-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat Single Sign-On 7.1 update on RHEL 7
Advisory ID: RHSA-2017:0873-01
Product: Red Hat Single Sign-On
Advisory URL: https://access.redhat.com/errata/RHSA-2017:0873
Issue date: 2017-04-04
CVE Names: CVE-2016-8629 CVE-2016-9589 CVE-2017-2585
=====================================================================

1. Summary:

Red Hat Single Sign-On 7.1 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.1 for RHEL 7 Server - noarch, x86_64

3. Description:

Red Hat Single Sign-On is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.1 serves as a replacement for Red
Hat Single Sign-On 7.0, and includes several bug fixes and enhancements.
For further information regarding those, refer to the Release Notes linked
to in the References section.

Security Fix(es):

* It was found that keycloak did not correctly check permissions when
handling service account user deletion requests sent to the REST server. An
attacker with service account authentication could use this flaw to bypass
normal permissions and delete users in a separate realm. (CVE-2016-8629)

* It was found that JBoss EAP 7 Header Cache was inefficient. An attacker
could use this flaw to cause a denial of service attack. (CVE-2016-9589)

* It was found that keycloak's implementation of HMAC verification for JWS
tokens uses a method that runs in non-constant time, potentially leaving
the application vulnerable to timing attacks. (CVE-2017-2585)

Red Hat would like to thank Gabriel Lavoie (Halogen Software) for reporting
CVE-2016-9589 and Richard Kettelerij (Mindloops) for reporting
CVE-2017-2585.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1388988 - CVE-2016-8629 keycloak: user deletion via incorrect permissions check
1404782 - CVE-2016-9589 wildfly: ParseState headerValuesCache can be exploited to fill heap with garbage
1412376 - CVE-2017-2585 keycloak: timing attack in JWS signature verification

6. JIRA issues fixed (https://issues.jboss.org/):

RHSSO-426 - Tracker bug for the RH-SSO-7.1.0 release for RHEL-7

7. Package List:

Red Hat Single Sign-On 7.1 for RHEL 7 Server:

Source:
rh-sso7-1-2.jbcs.el7.src.rpm
rh-sso7-freemarker-2.3.23-1.redhat_2.2.jbcs.el7.src.rpm
rh-sso7-javapackages-tools-3.4.1-5.15.3.jbcs.el7.src.rpm
rh-sso7-keycloak-2.5.5-2.Final_redhat_1.1.jbcs.el7.src.rpm
rh-sso7-libunix-dbus-java-0.8.0-2.jbcs.el7.src.rpm
rh-sso7-liquibase-3.4.1-2.redhat_2.1.jbcs.el7.src.rpm
rh-sso7-twitter4j-4.0.4-1.redhat_3.1.jbcs.el7.src.rpm
rh-sso7-zxing-3.2.1-1.redhat_4.1.jbcs.el7.src.rpm

noarch:
rh-sso7-freemarker-2.3.23-1.redhat_2.2.jbcs.el7.noarch.rpm
rh-sso7-javapackages-tools-3.4.1-5.15.3.jbcs.el7.noarch.rpm
rh-sso7-keycloak-2.5.5-2.Final_redhat_1.1.jbcs.el7.noarch.rpm
rh-sso7-keycloak-server-2.5.5-2.Final_redhat_1.1.jbcs.el7.noarch.rpm
rh-sso7-liquibase-3.4.1-2.redhat_2.1.jbcs.el7.noarch.rpm
rh-sso7-liquibase-core-3.4.1-2.redhat_2.1.jbcs.el7.noarch.rpm
rh-sso7-python-javapackages-3.4.1-5.15.3.jbcs.el7.noarch.rpm
rh-sso7-twitter4j-4.0.4-1.redhat_3.1.jbcs.el7.noarch.rpm
rh-sso7-twitter4j-core-4.0.4-1.redhat_3.1.jbcs.el7.noarch.rpm
rh-sso7-zxing-3.2.1-1.redhat_4.1.jbcs.el7.noarch.rpm
rh-sso7-zxing-core-3.2.1-1.redhat_4.1.jbcs.el7.noarch.rpm
rh-sso7-zxing-javase-3.2.1-1.redhat_4.1.jbcs.el7.noarch.rpm

x86_64:
rh-sso7-1-2.jbcs.el7.x86_64.rpm
rh-sso7-libunix-dbus-java-0.8.0-2.jbcs.el7.x86_64.rpm
rh-sso7-libunix-dbus-java-debuginfo-0.8.0-2.jbcs.el7.x86_64.rpm
rh-sso7-libunix-dbus-java-devel-0.8.0-2.jbcs.el7.x86_64.rpm
rh-sso7-runtime-1-2.jbcs.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2016-8629
https://access.redhat.com/security/cve/CVE-2016-9589
https://access.redhat.com/security/cve/CVE-2017-2585
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/html/release_notes/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFY49e3XlSAg2UNWIIRAsc0AJ47+aqYdW17/tIuGqD4EFdYNQLyzwCfdADF
148koh7hcPqbL1QK2W+L/Rg=
=8B8F
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    12 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close