Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1638 Important: Red Hat Single Sign-On 7.3.1 security update 10 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Single Sign-On 7.3.1 Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Provide Misleading Information -- Remote/Unauthenticated Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-3894 CVE-2019-3868 CVE-2019-3805 CVE-2018-14721 CVE-2018-14720 CVE-2018-14642 CVE-2018-12023 CVE-2018-12022 CVE-2018-11307 Reference: ASB-2019.0122 ASB-2019.0119 ESB-2019.1406 ESB-2019.1392 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:1140 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.1 security update Advisory ID: RHSA-2019:1140-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2019:1140 Issue date: 2019-05-09 CVE Names: CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14642 CVE-2018-14720 CVE-2018-14721 CVE-2019-3805 CVE-2019-3868 CVE-2019-3894 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.1 serves as a replacement for Red Hat Single Sign-On 7.3.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * keycloak: session hijack using the user access token (CVE-2019-3868) * jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307) * jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022) * jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023) * undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642) * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720) * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721) * wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805) * wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1628702 - CVE-2018-14642 undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer 1660263 - CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver 1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library 1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis 1679144 - CVE-2019-3868 keycloak: session hijack using the user access token 1682108 - CVE-2019-3894 wildfly: wrong SecurityIdentity for EE concurrency threads that are reused 5. References: https://access.redhat.com/security/cve/CVE-2018-11307 https://access.redhat.com/security/cve/CVE-2018-12022 https://access.redhat.com/security/cve/CVE-2018-12023 https://access.redhat.com/security/cve/CVE-2018-14642 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2019-3805 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2019-3894 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=core.service.rhsso&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXNRu29zjgjWX9erEAQhQrA/+NcV1flXQ9MvTDY7bINqQt90SJR6hRYUw 3DegHO3TPXaGvRJu33ECxDAMW1ye9rLBttpFf+rHZrYDsxbz1Byhk6roe+Bvj7/5 Saj03Kdg/nV2vEu0xTA0iKvdxSDpklh3CtD+8xrC0T7OCDxGFmTDloRiyEHc81ML tBn1WMjPrRTIhxrvsSJ0JQX/IeSumuW7FlgLnJIk4j4hyMdN92TptkBc6+lMNF4J HCQAfTDdLDBZujua27mo0+LE9wFzrxAgrLCbe1j0BXzkiHKr5M5jPDR8xYI6pX3d RC+Swaa0M+6ZfL9GlTeIAmHaYz/idFfn1u1zaZPYgYPy6O2fxzaa4uB/E7o+ZCeR rplITm2jkB/b7UJR4zD7XkA4InI3qCtKXy3Pf3rvbv6UCENrKLx76GiF7w7avdK7 LSOJCmJFN3b/rU16KflQXEGrG0E4+/pZ28dIhumraxq+eRkyPM8TgcUigh0doklM BYFYHOtvNuncY3/8cOBvTOJ15vuwFvYWkVH8dATzTa/P9ic2Ph43djmetDs14kYa xr3cjmt2tyLrjp+85y+iSxbz0iPpv3slI6qOJ9Vc81OgCj3jLmcXkB6EMTPosV11 yoPXcvOSnC438byVPrvdU0xaZOYDV6myZZVm7VbSl1ZaEsY7vRAcP8EvdVLsKlDE shzP40ygJ44= =KE7F - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNTTuWaOgq3Tt24GAQjnihAAkuyfk6Hg77Y5ODCu+oorP91/6wnZW4q0 RKrZNKnuXeixD04kGhg5I7p+R9EAdlGdx48DdaN4/RgNLS3otEfMkQ2LRMVUPyLx XxmGRg5SDMeaU1q4TRw1Grn+3oSuD0xOf6fbadl33dx0fksoL7PKhk0EYeprOJQZ 68rxNC9ESkqxNGUPk38mLs0E4NQhVDLgeuE3wfZZL5ufF/F7WOcxLrcvHQtqiNml +h2YyX8+ls+PTQsS/SSN4lX15s4yR6cXvvXRolqoye3oioAr9n4MJwY6Q1VMn7Gp IyUrquc9v6LO+UPowESVqOx2TU91GzoERq6uSwd6HyaI9vLqko/ufHP85WrrtJ8Q hUdgsSRq24CqRJoexfx81d/3XAXHWNynBivqhow0JfHKuh1PThwwQPcXgbIAp17C BZA/tthe5ROCi+J/JLOFoAMSUU5br9gBNxVGrSHABpfpPzbrGTfpw/5ID5p0wISG O49GFQ6Q8RdzdvXfNFopjWl85AjgBTdPmpbZYlOhT5mv9GQbSqa19XVr94ATvz2R mWeRs4maGnLQjjNG2QBVeckw7MPOdEmgp0Z0dQR/QcArpUpASMgtUDVOQvNyPmnx XzZZH4DrJg7fbbxvs2+yWTTGb5b1l5Rx3+Ar9aKmeIkWvTVXzuiZYbrEiMZzSTOP Q1XPfnpemjA= =e2EY -----END PGP SIGNATURE-----