You are here
Home > Preporuke > Sigurnosni nedostatak programskog paketa Red Hat Single Sign-On

Sigurnosni nedostatak programskog paketa Red Hat Single Sign-On

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: RH-SSO 7.3.4 adapters for Enterprise Application Platform 6 security update
Advisory ID: RHSA-2019:3048-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3048
Issue date: 2019-10-14
CVE Names: CVE-2019-14820
=====================================================================

1. Summary:

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBoss
Enterprise Application Platform 6.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server – noarch
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server – noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

These packages provide security updates to adapters for use with Red Hat
Single Sign-On 7.3.4 for Red Hat JBoss Enterprise Application Platform 6.

Security Fix(es):

* keycloak: adapter endpoints are exposed via arbitrary URLs
(CVE-2019-14820)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1649870 – CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

6. Package List:

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Server:

Source:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.src.rpm

noarch:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.noarch.rpm
keycloak-saml-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el6.noarch.rpm

Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Server:

Source:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.src.rpm

noarch:
keycloak-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.noarch.rpm
keycloak-saml-adapter-sso7_3-eap6-4.8.13-1.Final_redhat_00001.1.ep6.el7.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-14820
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXaS/Z9zjgjWX9erEAQjtxw/7Bu6V42F7CXOxFRl233Y/Rj2XmifdzDMh
JLY9Ir36eivJFz3F/fScPfgxR3H5hZaAqW7N8piZbcH3fEgi7aNbr+AXxIIpeU3w
2hQa6nIDYqDRyeE4KKIzdqCW+ktaD+TdgzbhpPr8qLP6IVrLxiOc2WFFki5HG9+K
cTuC7rszXrDSsQdVR/0+ItRlCVmd529m6vR+BNJeccUvfutk+hXZGPEUFKIp1Rkq
sjMf79ILS0m5wLTLhX22HIgutPpipGs3EhKWI9JKsfX4GnIML2XSK1mnWqrVklEj
IGwFjQKvnMjWBllvp5jJsg1zih9VyqZXx2xcu0npbt8n2Msahvd3pw/i0PIaeATY
RLogpAFS+vohCQvBTdFPDHuShMaQx4drh+FJMa5XWDsAMGQl2rj7S2pAfVyVMETm
g55sJ9Kk4qSfmwWwbk5Mrf8XK5bE2oQGmLDFNFa7UAL5nfxpnA4Uy+i6ifYH6Dsz
bqhZICefzFxC9wc+0Gdmn5SxoA6M/IWt5KxffIvfuChPNnjYCAbs8ephU2lMQWIZ
PHpFtUj7PSM6muwMqtsTzA4H+ocbTW+TP6f4Oz3uaFVHHZ20NrW01/QSolEH9IEE
ud5H7Ga42CB5Ur+h92fUy0Ls9zqDbG/G4FhBkHfcG2yCkZWJ8IvCl7JuIk9m6nsB
TPC9+ysTqVM=
=tjAM
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Low: RH-SSO 7.3.4 adapters for Enterprise Application Platform 7.2 security update
Advisory ID: RHSA-2019:3049-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3049
Issue date: 2019-10-14
CVE Names: CVE-2019-14820
=====================================================================

1. Summary:

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBoss
Enterprise Application Platform 7.2

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 7.2 for RHEL 6 Server – noarch
Red Hat JBoss EAP 7.2 for RHEL 7 Server – noarch
Red Hat JBoss EAP 7.2 for RHEL 8 – noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

These packages provide security updates to adapters for use with Red Hat
Single Sign-On 7.3.4 for Red Hat JBoss Enterprise Application Platform 7.2.

Security Fix(es):

* keycloak: adapter endpoints are exposed via arbitrary URLs
(CVE-2019-14820)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1649870 – CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

6. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-17585 – Tracker bug for the RH-SSO 7.3.4 adapters release for Red Hat JBoss Enterprise Application Platform 7

7. Package List:

Red Hat JBoss EAP 7.2 for RHEL 6 Server:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm

Red Hat JBoss EAP 7.2 for RHEL 7 Server:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm

Red Hat JBoss EAP 7.2 for RHEL 8:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2019-14820
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXaS/2tzjgjWX9erEAQjn7A/9Fu3urKuT+ApleK7u3+3g/mIw/S+hgdNt
FvOufYF/tyhyeUGKAk8hEfQjB8G5pJ4UbG0ZXsagBM6pwXyQ62odXLCqFiCo69IT
WLu7b7ROKnxlzLq/xb1zFlt0L7tDdBjY//+fbO51SFuoUffZYV22KjLA8s+/eT32
oZnq+95eSy7ckYA1hYzKgCiAFV4qoqpExdpHC6G4E3zop9r6RklbEdjc6Nl9LxzD
x1gEc6Mh3JwJvk8HSBNUvHjDzBFAmTpoL1FeAFng/UGBAKjjnCVGM1MlOKl2rXLt
G4fK6GWl3smtyRTrDt1gQ7z9/lF8+84FrRoxF8ToDWI0z6id24l0uUh1s2wHjA3h
97J+tIszOSma1Knawg3+ImimjCYTeXlVkzViCg05Q7U2xhPBdc+J4Hn/AYCTAqSD
AEprIzTL+1jGtm7pI3iTBAKDCjg0kAjJaCPtmpOYdlm7/WYF0mDTq8LGeQtEssUC
AvqhTzzzmXDpLydAmKEoBVL0pmFZ5Hjasg6VnEQQzeSw+Za9hG7eRjoUSr47OHIV
+CAgmw4KltH7zd1e27Ln3oxJplbflZzUQ0Ce65jycvk061Xf8tiqnNHzimUGiR17
SrLPyz3vnhfrrpGHQPWL8HY1MCayb29jOstEiz/teJmXU2nFPNjY0RVPlRekVjFY
DhZ4ha2E0pU=
=FUUN
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostaci programskog paketa Red Hat Single Sign-On

Otkriveni su sigurnosni nedostaci u programskom paketu Red Hat Single Sign-On. Otkriveni nedostaci potencijalnim napadačima omogućuju zaobilaženje sigurnosnih ograničenja, otkrivanje...

Close