-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.6.2 security update
Advisory ID:       RHSA-2023:1049-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1049
Issue date:        2023-03-01
CVE Names:         CVE-2018-14040 CVE-2018-14042 CVE-2019-11358
                   CVE-2020-11022 CVE-2020-11023 CVE-2021-35065
                   CVE-2021-44906 CVE-2022-1274 CVE-2022-1438
                   CVE-2022-1471 CVE-2022-2237 CVE-2022-2764
                   CVE-2022-3782 CVE-2022-3916 CVE-2022-4137
                   CVE-2022-24785 CVE-2022-25857 CVE-2022-31129
                   CVE-2022-37603 CVE-2022-38749 CVE-2022-38750
                   CVE-2022-38751 CVE-2022-40149 CVE-2022-40150
                   CVE-2022-42003 CVE-2022-42004 CVE-2022-45047
                   CVE-2022-45693 CVE-2022-46175 CVE-2022-46363
                   CVE-2022-46364 CVE-2023-0091 CVE-2023-0264
====================================================================
1. Summary:

A security update is now available for Red Hat Single Sign-On 7.6 from the
Customer Portal.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.6.2 serves as a replacement for
Red Hat Single Sign-On 7.6.1, and includes bug fixes and enhancements,
which are documented in the Release Notes document linked to in the
References.

Security Fix(es):
* keycloak: XSS on impersonation under specific circumstances
(CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK
forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service
(CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens
(CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation
(CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service
(CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code
(CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the
data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new
JSONObject(map) cause StackOverflowError which may lead to dos
(CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent
attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)
* Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO
(CVE-2022-2237)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances
2066009 - CVE-2021-44906 minimist: prototype pollution
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API
2097007 - CVE-2022-2237 Keycloak Node.js Adapter: Open redirect vulnerability in checkSSO
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2148496 - CVE-2022-4137 keycloak: reflected XSS attack
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation
2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code

5. References:

https://access.redhat.com/security/cve/CVE-2018-14040
https://access.redhat.com/security/cve/CVE-2018-14042
https://access.redhat.com/security/cve/CVE-2019-11358
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/cve/CVE-2021-35065
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-1274
https://access.redhat.com/security/cve/CVE-2022-1438
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-2237
https://access.redhat.com/security/cve/CVE-2022-2764
https://access.redhat.com/security/cve/CVE-2022-3782
https://access.redhat.com/security/cve/CVE-2022-3916
https://access.redhat.com/security/cve/CVE-2022-4137
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-37603
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-40149
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-45693
https://access.redhat.com/security/cve/CVE-2022-46175
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-0091
https://access.redhat.com/security/cve/CVE-2023-0264
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY//t0dzjgjWX9erEAQhKpg//Y1TE5D88yW0VGXvGe9TRHY/D5kNFnaVq
2WBsboaGZbYLUdOQY21VLpmPjrnnzgw7mUgCUNSgDvjUWnMj0QZmCotVTx6IjKtE
uiD7OCtDED+IrB7taLjb6FQqFTdadUvys4hCtMdg2Fg416z9CqCJRYx81liLaM6r
L0aZAEjAknOOw6yaJg0rngNKvK41BHdb9OIN+rp+rVsGEIhW98Dh8Z2qnHd1OjLd
Z3KYPy4i98UlZeL9jfX2zE6AA4giYX/Zn1LE8GG0jNuVLJOjn95Ez/EwZn9IO63T
ppUoOoM7lo07FPVWGaqbBp8aH8xLVI/B+7vwtHzkz9azUiMhC+Z6cM7FyYcLmpu3
jYHt2nTvyFL1cYqNmnVWvyc8NX2jtL7loMPcPKCnEpXzXQsJ7pwqsl11uEqCfPg2
gf+WOgRZwjNUpBLiYtenAoi7YuHUyqCcji8WG63SXheSkjE8KUyqwlGWCkJ4nxWN
JH2ltSMIFEcXJKG7fy3NX5PZxYc1d2B0Pbv55px3wXmACpL3Qz/935iOASRPoKWT
0rGhBovgaYXym8bSGpyQDqsyCwSTRG6hlf90kxPdA5a8cXDvPgBjDNtkk8cLXxma
yO84vDgsCHMB5LfVZn8InPPNns4px6FlVdYEIWoBeQcxm+6YIR/qtSQ47vrNxkJp
cDKm+9rjpZw=dZHg
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce