Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3103
Important: Red Hat Single Sign-On 7.3.3 security update
14 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Single Sign-On
Publisher: Red Hat
Operating System: Red Hat
Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10201 CVE-2019-10199
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:2483
Comment: This advisory references vulnerabilities in products which run on
platforms other than Red Hat. It is recommended that administrators
running keycloak check for an updated version of
the software for their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Single Sign-On 7.3.3 security update
Advisory ID: RHSA-2019:2483-01
Product: Red Hat Single Sign-On
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2483
Issue date: 2019-08-13
CVE Names: CVE-2019-10199 CVE-2019-10201
=====================================================================
1. Summary:
A security update is now available for Red Hat Single Sign-On 7.3 from the
Customer Portal.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.3.3 serves as a replacement for
Red Hat Single Sign-On 7.3.2, and includes bug fixes and enhancements,
which are documented in the Release Notes, linked to in the References
section.
Security Fix(es):
* keycloak: SAML broker does not check existence of signature on document
allowing any user impersonation (CVE-2019-10201)
* keycloak: CSRF check missing in My Resources functionality in the Account
Console (CVE-2019-10199)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation
1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console
5. JIRA issues fixed (https://issues.jboss.org/):
KEYCLOAK-10286 - (7.3.z) Change to new Red Hat logo in RH-SSO admin UI
KEYCLOAK-10398 - (7.3.z) Update Red Hat logo in RH-SSO documentation
6. References:
https://access.redhat.com/security/cve/CVE-2019-10199
https://access.redhat.com/security/cve/CVE-2019-10201
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.3
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXVMdVtzjgjWX9erEAQhavA/9GR3oVgLlsv/TREYzI8bXp2VIHciFIlyq
kSCpEGJRCf+tPeWsn97fOAmHaQFYraU59QtTBeBXusfJ4g2fxhhWJUaaJFhNgi1+
BYvV+EtEziw1S0KtdRMa9LerUNBl058WfykeAn2PVpq7Fl1iDoQNV0Fj5FaiHV0d
2KyUjrKDIBrc5L+JOLa87j62snEhBwX861EA1+BfncRRzFNgoiOlC7Lhy7FswljB
v0sklAgsYet/2c/w4C4AhNFfsIqbOGP5rAR5PoqNL8Ahw+pF0sRzK0V24ZMIIUSO
7ISvqVihZ8bK3aOApDOHuhMCajSMeXM5Jgh2iaoLn/3UQW77N3Sod9Mmi0UmQMmY
95Akr2mXtO5rSPMOyEtjo4WJ4/Yp6Y/im6J2VToNFfSBaxp5l7sajU1et4X6RPfR
a5ij5kRmuu8RLC1/R8W/PNnf/dB59U95+Ts37ROkLHz/ItJSNAI2rgZlLddocxeZ
XNOGYIQxlfY9puvvfIO3bD1wsBPqpTi8aQnCNd/3Ajfjb8wNLd9egbGS1SYQ2oA7
oq19PEqdXcOkSxt3df8I4d5cmss98eXN7zuq3djAxxFBTx8H9DCwiRvM36UV/yHN
tfzOBo69G6s9OMMg6YvXlUzysWs4ROAmQKSsVztnqGlj6MDpppXFPIAEJKAC1OaU
Zb4HEN78/uQ=
=OyPB
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVNkjWaOgq3Tt24GAQgUgQ/9EZ3cv4XlDfPfN3cLMte1HN2X7HQuXeuD
Q0dRtcgQUWTlIrlIs09vZrlPX77cjleU3PLfZIvIoqmaVADiCDSDDjMfPg5H4i8G
v3/NfgMZZzcSsAMI3x6n153QwODnakhuZ70WERiYwU799pXc5y1NHHjIDUsegU1O
szNIGVYQVpUdTnUGYIW18++xTlBE0eEBiAGAFQQ948SBKZQaxMoIDLw5DcUiCHm/
z4sm/rBWODAHgAg7E/gf3LiMre/rk0a3t6/gOe6nCEtsyVGe4fULB7ED7NM0jLH2
PUaYS9gPlaS9X+vo/pnlu0ZBURBtc4cgE4QvBeVxfa0OidpmcOAFxC+h1yzTNtmY
Lvz3K/BcjcV90wtEDGP3SOOg3D9+kCwVEDp6ROwjWdQJag271EEIBI+MvP2MAXtw
LIFuCB6Jv7qNyupNurpN7MAe+4CSAB4/+GK/PF1DkqzRygCl7HxOCYpfqdYkgx92
lIfe6bT5VVuODaysC6qoIfKJvXTBAtE4GZEjffUcGKwZDG+QRg2+GPr2cmKFZtdd
q7WSCwkt4QXX3TO8g6sDDg8uaE/74DG766NmQx1hfxDVahE99levvwbcWWFjmMMY
VFrULjVPcEEPDAQiVSm2trBstsFNQ+ihP4f1/76WYJ65jMROrKuaBf1oxkmFcinv
yecKN25cNXE=
=yipU
-----END PGP SIGNATURE-----