Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2365 Red Hat Single Sign-On 7.6.8 Operator enhancement and security update 17 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Single Sign-On 7.6.8 Operator Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-6484 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1865 Comment: CVSS (Max): 5.3 CVE-2023-6484 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Low: Red Hat Single Sign-On 7.6.8 Operator enhancement and security update Advisory ID: RHSA-2024:1865 Product: Middleware Containers for OpenShift Advisory URL: https://access.redhat.com/errata/RHSA-2024:1865 Issue date: 2024-04-16 CVE Names: CVE-2023-6484 ===================================================================== 1. Summary: Red Hat Single Sign-On 7.6.8 Operator enhancement and security update. This is an enhancement and security update with Low impact rating and package name 'rh-sso7-keycloak'. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Middleware Containers for OpenShift - s390x, ppc64le, amd64 3. Description: Red Hat Single Sign-On 7.6.8 Operator for OpenShift simplifies deployment and management of Single-Sign-On 7.6.8 clusters. The Operator is supported on Red Hat OpenShift Container Platform 4.9. Security Fix(es): * Log Injection during WebAuthn authentication or registration (CVE-2023-6484) 4. Solution: To install the Red Hat Single Sign-On Operator, use the Operator Marketplace interface in OpenShift Container Platform. 5. Bugs fixed (https://bugzilla.redhat.com/): 2248423 - CVE-2023-6484 - keycloak: Log Injection during WebAuthn authentication or registration 6. Package List: Middleware Containers for OpenShift 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-init-container@sha256:7c11cf4ea78020a 3fba69c85e56c1c1eed08af61e7215dae5dcf7425f341b79d_amd64: rh-sso-7/sso7-rhel8-init-container@sha256:7c11cf4ea78020a3fba69c85e56c1c1eed08af 61e7215dae5dcf7425f341b79d_amd64.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-init-container@sha256:d89710eaa9b45dc 180c311bd020255759383b0eb07826265e4ba810c6a047196_s390x: rh-sso-7/sso7-rhel8-init-container@sha256:d89710eaa9b45dc180c311bd020255759383b0 eb07826265e4ba810c6a047196_s390x.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-init-container@sha256:f02e961e0c796ac 8b65de30a5c364c63337003ba9d2b05b7041565cf3bd9d8c0_ppc64le: rh-sso-7/sso7-rhel8-init-container@sha256:f02e961e0c796ac8b65de30a5c364c63337003 ba9d2b05b7041565cf3bd9d8c0_ppc64le.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator-bundle@sha256:81208c494048b5 26ff577b0c9673f4e310e84627671d2da7ac072aa11292aedc_amd64: rh-sso-7/sso7-rhel8-operator-bundle@sha256:81208c494048b526ff577b0c9673f4e310e84 627671d2da7ac072aa11292aedc_amd64.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator@sha256:586edd67e9b88b7f11bce c01308ef66aa20f7fd7307b821c1e6da5dbdee0786a_s390x: rh-sso-7/sso7-rhel8-operator@sha256:586edd67e9b88b7f11bcec01308ef66aa20f7fd7307b 821c1e6da5dbdee0786a_s390x.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator@sha256:990daa5745e5c3ba9da00 87a0198de272027794949b8c5f45b86023702bfe8a0_ppc64le: rh-sso-7/sso7-rhel8-operator@sha256:990daa5745e5c3ba9da0087a0198de272027794949b8 c5f45b86023702bfe8a0_ppc64le.rpm 8Base-RHOSE-Middleware:rh-sso-7/sso7-rhel8-operator@sha256:bc38682492e8166dca7a0 8d0eae81469270b5f979ff80f075bc63183126098c0_amd64: rh-sso-7/sso7-rhel8-operator@sha256:bc38682492e8166dca7a08d0eae81469270b5f979ff8 0f075bc63183126098c0_amd64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-6484 https://access.redhat.com/security/updates/classification/#low - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================