Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3103 Important: Red Hat Single Sign-On 7.3.3 security update 14 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat Single Sign-On Publisher: Red Hat Operating System: Red Hat Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-10201 CVE-2019-10199 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:2483 Comment: This advisory references vulnerabilities in products which run on platforms other than Red Hat. It is recommended that administrators running keycloak check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat Single Sign-On 7.3.3 security update Advisory ID: RHSA-2019:2483-01 Product: Red Hat Single Sign-On Advisory URL: https://access.redhat.com/errata/RHSA-2019:2483 Issue date: 2019-08-13 CVE Names: CVE-2019-10199 CVE-2019-10201 ===================================================================== 1. Summary: A security update is now available for Red Hat Single Sign-On 7.3 from the Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.3.3 serves as a replacement for Red Hat Single Sign-On 7.3.2, and includes bug fixes and enhancements, which are documented in the Release Notes, linked to in the References section. Security Fix(es): * keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201) * keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console 5. JIRA issues fixed (https://issues.jboss.org/): KEYCLOAK-10286 - (7.3.z) Change to new Red Hat logo in RH-SSO admin UI KEYCLOAK-10398 - (7.3.z) Update Red Hat logo in RH-SSO documentation 6. References: https://access.redhat.com/security/cve/CVE-2019-10199 https://access.redhat.com/security/cve/CVE-2019-10201 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3 https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXVMdVtzjgjWX9erEAQhavA/9GR3oVgLlsv/TREYzI8bXp2VIHciFIlyq kSCpEGJRCf+tPeWsn97fOAmHaQFYraU59QtTBeBXusfJ4g2fxhhWJUaaJFhNgi1+ BYvV+EtEziw1S0KtdRMa9LerUNBl058WfykeAn2PVpq7Fl1iDoQNV0Fj5FaiHV0d 2KyUjrKDIBrc5L+JOLa87j62snEhBwX861EA1+BfncRRzFNgoiOlC7Lhy7FswljB v0sklAgsYet/2c/w4C4AhNFfsIqbOGP5rAR5PoqNL8Ahw+pF0sRzK0V24ZMIIUSO 7ISvqVihZ8bK3aOApDOHuhMCajSMeXM5Jgh2iaoLn/3UQW77N3Sod9Mmi0UmQMmY 95Akr2mXtO5rSPMOyEtjo4WJ4/Yp6Y/im6J2VToNFfSBaxp5l7sajU1et4X6RPfR a5ij5kRmuu8RLC1/R8W/PNnf/dB59U95+Ts37ROkLHz/ItJSNAI2rgZlLddocxeZ XNOGYIQxlfY9puvvfIO3bD1wsBPqpTi8aQnCNd/3Ajfjb8wNLd9egbGS1SYQ2oA7 oq19PEqdXcOkSxt3df8I4d5cmss98eXN7zuq3djAxxFBTx8H9DCwiRvM36UV/yHN tfzOBo69G6s9OMMg6YvXlUzysWs4ROAmQKSsVztnqGlj6MDpppXFPIAEJKAC1OaU Zb4HEN78/uQ= =OyPB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVNkjWaOgq3Tt24GAQgUgQ/9EZ3cv4XlDfPfN3cLMte1HN2X7HQuXeuD Q0dRtcgQUWTlIrlIs09vZrlPX77cjleU3PLfZIvIoqmaVADiCDSDDjMfPg5H4i8G v3/NfgMZZzcSsAMI3x6n153QwODnakhuZ70WERiYwU799pXc5y1NHHjIDUsegU1O szNIGVYQVpUdTnUGYIW18++xTlBE0eEBiAGAFQQ948SBKZQaxMoIDLw5DcUiCHm/ z4sm/rBWODAHgAg7E/gf3LiMre/rk0a3t6/gOe6nCEtsyVGe4fULB7ED7NM0jLH2 PUaYS9gPlaS9X+vo/pnlu0ZBURBtc4cgE4QvBeVxfa0OidpmcOAFxC+h1yzTNtmY Lvz3K/BcjcV90wtEDGP3SOOg3D9+kCwVEDp6ROwjWdQJag271EEIBI+MvP2MAXtw LIFuCB6Jv7qNyupNurpN7MAe+4CSAB4/+GK/PF1DkqzRygCl7HxOCYpfqdYkgx92 lIfe6bT5VVuODaysC6qoIfKJvXTBAtE4GZEjffUcGKwZDG+QRg2+GPr2cmKFZtdd q7WSCwkt4QXX3TO8g6sDDg8uaE/74DG766NmQx1hfxDVahE99levvwbcWWFjmMMY VFrULjVPcEEPDAQiVSm2trBstsFNQ+ihP4f1/76WYJ65jMROrKuaBf1oxkmFcinv yecKN25cNXE= =yipU -----END PGP SIGNATURE-----