-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Important: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
Advisory ID:       RHSA-2023:1045-01
Product:           Red Hat Single Sign-On
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:1045
Issue date:        2023-03-01
CVE Names:         CVE-2018-14040 CVE-2018-14042 CVE-2019-11358
                   CVE-2020-11022 CVE-2020-11023 CVE-2021-35065
                   CVE-2021-44906 CVE-2022-1274 CVE-2022-1438
                   CVE-2022-1471 CVE-2022-2764 CVE-2022-3782
                   CVE-2022-3916 CVE-2022-4137 CVE-2022-24785
                   CVE-2022-25857 CVE-2022-31129 CVE-2022-37603
                   CVE-2022-38749 CVE-2022-38750 CVE-2022-38751
                   CVE-2022-40149 CVE-2022-40150 CVE-2022-42003
                   CVE-2022-42004 CVE-2022-45047 CVE-2022-45693
                   CVE-2022-46175 CVE-2022-46363 CVE-2022-46364
                   CVE-2023-0091 CVE-2023-0264
====================================================================
1. Summary:

New Red Hat Single Sign-On 7.6.2 packages are now available for Red Hat
Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Single Sign-On 7.6 for RHEL 9 - noarch

3. Description:

Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.6.2 on RHEL 9 serves as a
replacement for Red Hat Single Sign-On 7.6.1, and includes bug fixes and
enhancements, which are documented in the Release Notes document linked to
in the References.

Security Fix(es):

* keycloak: XSS on impersonation under specific circumstances
(CVE-2022-1438)
* Moment.js: Path traversal in moment.locale (CVE-2022-24785)
* keycloak: missing email notification template allowlist (CVE-2022-1274)
* keycloak: minimist: prototype pollution (CVE-2021-44906)
* moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
* undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK
forever for EJB invocations (CVE-2022-2764)
* snakeyaml: Denial of Service due to missing nested depth limitation for
collections (CVE-2022-25857)
* loader-utils: loader-utils:Regular expression denial of service
(CVE-2022-37603)
* keycloak: Session takeover with OIDC offline refreshtokens
(CVE-2022-3916)
* keycloak: path traversal via double URL encoding (CVE-2022-3782)
* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)
* snakeyaml: Uncaught exception in
java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)
* snakeyaml: Uncaught exception in
org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
(CVE-2022-38750)
* keycloak: Client Registration endpoint does not check token revocation
(CVE-2023-0091)
* keycloak: glob-parent: Regular Expression Denial of Service
(CVE-2021-35065)
* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)
* keycloak: keycloak: user impersonation via stolen uuid code
(CVE-2023-0264)
* snakeyaml: Constructor Deserialization Remote Code Execution
(CVE-2022-1471)
* CXF: Apache CXF: SSRF Vulnerability (CVE-2022-46364)
* rcue-bootstrap: bootstrap: Cross-site Scripting (XSS) in the
data-container property of tooltip (CVE-2018-14042)
* jettison: If the value in map is the map's self, the new new
JSONObject(map) cause StackOverflowError which may lead to dos
(CVE-2022-45693)
* sshd-common: mina-sshd: Java unsafe deserialization vulnerability
(CVE-2022-45047)
* jettison: memory exhaustion via user-supplied XML or JSON data
(CVE-2022-40150)
* jettison: parser crash by stackoverflow (CVE-2022-40149)
* jackson-databind: use of deeply nested arrays (CVE-2022-42004)
* jackson-databind: deep wrapper array nesting wrt
UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)
* jquery: Passing HTML containing <option> elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent
attribute (CVE-2018-14040)
* jquery: Prototype pollution in object's prototype leading to denial of
service, remote code execution, or property injection (CVE-2019-11358)
* CXF: Apache CXF: directory listing / code exfiltration (CVE-2022-46363)
* keycloak: reflected XSS attack (CVE-2022-4137)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute
1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
2031904 - CVE-2022-1438 keycloak: XSS on impersonation under specific circumstances
2066009 - CVE-2021-44906 minimist: prototype pollution
2072009 - CVE-2022-24785 Moment.js: Path traversal  in moment.locale
2073157 - CVE-2022-1274 keycloak: HTML injection in execute-actions-email Admin REST API
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2117506 - CVE-2022-2764 Undertow: DoS can be achieved as Undertow server waits for the LAST_CHUNK forever for EJB invocations
2126789 - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
2129706 - CVE-2022-38749 snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode
2129707 - CVE-2022-38750 snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject
2129709 - CVE-2022-38751 snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match
2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS
2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays
2135770 - CVE-2022-40150 jettison: memory exhaustion via user-supplied XML or JSON data
2135771 - CVE-2022-40149 jettison: parser crash by stackoverflow
2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service
2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens
2145194 - CVE-2022-45047 mina-sshd: Java unsafe deserialization vulnerability
2148496 - CVE-2022-4137 keycloak: reflected XSS attack
2150009 - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
2155681 - CVE-2022-46363 Apache CXF: directory listing / code exfiltration
2155682 - CVE-2022-46364 Apache CXF: SSRF Vulnerability
2155970 - CVE-2022-45693 jettison:  If the value in map is the map's self, the new new JSONObject(map) cause StackOverflowError which may lead to dos
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service
2158585 - CVE-2023-0091 keycloak: Client Registration endpoint does not check token revocation
2160585 - CVE-2023-0264 keycloak: user impersonation via stolen uuid code

6. Package List:

Red Hat Single Sign-On 7.6 for RHEL 9:

Source:
rh-sso7-keycloak-18.0.6-1.redhat_00001.1.el9sso.src.rpm

noarch:
rh-sso7-keycloak-18.0.6-1.redhat_00001.1.el9sso.noarch.rpm
rh-sso7-keycloak-server-18.0.6-1.redhat_00001.1.el9sso.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-14040
https://access.redhat.com/security/cve/CVE-2018-14042
https://access.redhat.com/security/cve/CVE-2019-11358
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/cve/CVE-2021-35065
https://access.redhat.com/security/cve/CVE-2021-44906
https://access.redhat.com/security/cve/CVE-2022-1274
https://access.redhat.com/security/cve/CVE-2022-1438
https://access.redhat.com/security/cve/CVE-2022-1471
https://access.redhat.com/security/cve/CVE-2022-2764
https://access.redhat.com/security/cve/CVE-2022-3782
https://access.redhat.com/security/cve/CVE-2022-3916
https://access.redhat.com/security/cve/CVE-2022-4137
https://access.redhat.com/security/cve/CVE-2022-24785
https://access.redhat.com/security/cve/CVE-2022-25857
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-37603
https://access.redhat.com/security/cve/CVE-2022-38749
https://access.redhat.com/security/cve/CVE-2022-38750
https://access.redhat.com/security/cve/CVE-2022-38751
https://access.redhat.com/security/cve/CVE-2022-40149
https://access.redhat.com/security/cve/CVE-2022-40150
https://access.redhat.com/security/cve/CVE-2022-42003
https://access.redhat.com/security/cve/CVE-2022-42004
https://access.redhat.com/security/cve/CVE-2022-45047
https://access.redhat.com/security/cve/CVE-2022-45693
https://access.redhat.com/security/cve/CVE-2022-46175
https://access.redhat.com/security/cve/CVE-2022-46363
https://access.redhat.com/security/cve/CVE-2022-46364
https://access.redhat.com/security/cve/CVE-2023-0091
https://access.redhat.com/security/cve/CVE-2023-0264
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBY//txdzjgjWX9erEAQigGg/+JTdFclFxvPB1ZiAp4h2h7Z5kSb1xKext
BYJy42PhiEoaIM4qewZNKZFfni/zjzO3wDJcVu+6pBJ9TuYTUe5Ra88dnQ+LbkXy
Vr4/Xw5R907jQtscRSgpdrBJTfU4RLa4iRVvb2CI7ASmn3aODfd1BTYMTN0D8di4
b5A4cERcM/IroNx1APYM6WpOdUHwCRasz5CvnpJreh5NfqBtSf2O8qNHwWJ7WzBz
/VOWcURNt/aIlu5hcCXEVoOoyhL8UmOVypX7HJq0ULOtbj4VnFBXj6zpaNReAR38
8AgAM49vEAE4TpFdSzvRQnuW5F42IKkuGDes49HR0I3KyitFGklsjs52MRBN5wHC
XyKCqpfFDiD87GpJuI78U9Xc38juHd3N7FtMnmu9+lG/JVNZEgq3ZYvx2+E60xDy
tAA64Zghu6PudS+9DWEqATuJ+ZxPm1QhfmdXxob3PZINwYMPOxqJmPBYubdHw3cG
T/GFrL+Y63HtVPJIAlE5wvwlIbzk1BlmcYDtSUQdEG+X6Z86kZGPOVHJ15LLfQdw
zX2I928z7n2IvcrZOMTkzw8BRpsoaAlnmdsIoEMkevQtJOzZmeU/b2t12SPua4bp
neH1Md7G1KZE62V4dwoE19+yLzoqHYbqSe5rjiSak5W6fp+0I4zapZh/R7W9sMHj
droQd2/ECco=UT46
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce