-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.4.4 security update Advisory ID: RHSA-2020:5533-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2020:5533 Issue date: 2020-12-15 CVE Names: CVE-2020-10695 CVE-2020-13822 CVE-2020-25638 CVE-2020-25649 CVE-2020-27826 ==================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.4 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.4.4 serves as a replacement for Red Hat Single Sign-On 7.4.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * redhat-sso-7-openshift-containers: /etc/passwd is given incorrect privileges (CVE-2020-10695) * hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used (CVE-2020-25638) * jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) (CVE-2020-25649) * keycloak: Account REST API can update user metadata attributes (CVE-2020-27826) * keycloak-nodejs-connect: nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1817530 - CVE-2020-10695 containers/redhat-sso-7: /etc/passwd is given incorrect privileges 1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures 1881353 - CVE-2020-25638 hibernate-core: SQL injection vulnerability when both hibernate.use_sql_comments and JPQL String literals are used 1887664 - CVE-2020-25649 jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE) 1905089 - CVE-2020-27826 keycloak: Account REST API can update user metadata attributes 5. References: https://access.redhat.com/security/cve/CVE-2020-10695 https://access.redhat.com/security/cve/CVE-2020-13822 https://access.redhat.com/security/cve/CVE-2020-25638 https://access.redhat.com/security/cve/CVE-2020-25649 https://access.redhat.com/security/cve/CVE-2020-27826 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBX9jwk9zjgjWX9erEAQhoww//RJf6hmlOG+SytK34kfkqWJtMxIZSN4Dg ePIvMRY1OD7zH7EF9MK9l6uXNd9vRg46EH3Pzlehd0c3EAMTPCkWEhb+iqG81TKy kFEwAoh506JuJKoSD4GynFaA9gP1UEWMPsOSrxGeak6ZFwb88EULoYzwj9Tb5Yin oW1lpCtAWrwMrM0yU1764xMzs+RoQcxesrDTYqllQ5PrFERZKwpAIJocdoLOXimt EezgfovyCIcz5Sq7eREapO4X/y+v5rYVOVtgZT/KiQIbVXwvMMPAp5PpA773Bl6t Pq74Blh4TF1MLYNnpL9w4JyGp7OcjEDN/UzonpD8BlScLl+kv2Jk/ujUaMrZAYKb K+/IexMzE+tVuOY2NveVTX9zTIkeOk0OJvnEj1hu0Mz+B+ThlxNPoSa/iqtqD5K5 8LBwEPLGRC46XxHYECkHcoqacrCCwa3uS8uf1EEncnyiHju6xY3twb4krpOdoNZj 3v+bgmubqT7lACj2skQtZSZ2QcSo22+Eld3topqD75gGmvwdGf+4y5wUZ+6mYttc nvsHXRmOvy60ydcvyIcWIa8wcLAv92K0KnkLD51HuypjO2j3UtChwiha6jkxSmwg g2zhmph3VxNycGmDJqIqVTR0HXntvnax1VgzdbsrniHcS+c68VBD4oq5rc00xP7m s8G1QLK7RvE=5J+9 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce