Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4471
Red Hat Single Sign-On 7.4.0 security update
18 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Single Sign-On 7.4.0
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11620 CVE-2020-11619 CVE-2020-11113
CVE-2020-11112 CVE-2020-11111 CVE-2020-10968
CVE-2020-1727
Reference: ESB-2020.3190
ESB-2020.2619
ESB-2020.2612
ESB-2020.1399
ESB-2020.1368
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:5625
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Single Sign-On 7.4.0 security update
Advisory ID: RHSA-2020:5625-01
Product: Red Hat Single Sign-On
Advisory URL: https://access.redhat.com/errata/RHSA-2020:5625
Issue date: 2020-12-17
CVE Names: CVE-2020-1727 CVE-2020-10968 CVE-2020-11111
CVE-2020-11112 CVE-2020-11113 CVE-2020-11619
CVE-2020-11620
=====================================================================
1. Summary:
A security update is now available for Red Hat Single Sign-On 7.4 from the
Customer Portal.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
NOTE: This advisory is an addendum to
https://access.redhat.com/errata/RHBA-2020:1414 and is an informational
advisory only, to clarify security fixes released therein. No code has been
modified as part of this advisory.
2. Description:
Red Hat Single Sign-On 7.4 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.4.0 serves as a replacement for
Red Hat Single Sign-On 7.3, and includes bug fixes and enhancements, which
are documented in the Release Notes document linked to in the References.
Security Fix(es):
* keycloak: missing input validation in IDP authorization URLs
(CVE-2020-1727)
* jackson-databind: Serialization gadgets in
org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)
* jackson-databind: Serialization gadgets in
org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)
* jackson-databind: Serialization gadgets in
org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)
* jackson-databind: Serialization gadgets in
org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)
* jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
(CVE-2020-11620)
* jackson-databind: Serialization gadgets in org.springframework:spring-aop
(CVE-2020-11619)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1800573 - CVE-2020-1727 keycloak: missing input validation in IDP authorization URLs
1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime
1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly
1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop
5. References:
https://access.redhat.com/security/cve/CVE-2020-1727
https://access.redhat.com/security/cve/CVE-2020-10968
https://access.redhat.com/security/cve/CVE-2020-11111
https://access.redhat.com/security/cve/CVE-2020-11112
https://access.redhat.com/security/cve/CVE-2020-11113
https://access.redhat.com/security/cve/CVE-2020-11619
https://access.redhat.com/security/cve/CVE-2020-11620
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=distributions&version=7.4
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX9uKatzjgjWX9erEAQib9w/6ApDVW1+1kyE0DclGT9OI7E6Dio5Iz1iy
IdVu5VSFqWTZ0/VbssMznm0dfH3sDOrYFKuQKTsgoSF1un2hqPzL7kGbUrsnYjXy
nrNSzUhjXmWRnsRiYtREJjVuTfDS3G/auKakDQ61bU3vr9//6g2uYWZ/mz5DnGex
eawz17QlfLmn58Y9K3x+vXX/SYXu07I/lsFYKSjjewMj8aQIQX4w/yV0FrMI4St7
BaRWiffqRsv+d0nxWfFJZFXhUs3hJyI0UGPGlC7W5cTNrbhAwtI/ddZ4Q3d4H/Of
0rDVcUjva4lKej6S+pt6/Ee0BuajnOmc2xrO27nrGw/WE4eAxIZcQl8ZAsh1Fdkb
Ynjl2JVbVL7yqPwsXWuUgite7qSM6HRdqk04nNc/blObou7IaEadNxqjLF2j+mdL
2YDUMMes58WCuH2TG1t1rbKvxOZq3TdZhdibkswx4aDAqlLF9+d1G7T2rZMja/Z3
GBkjeoqApJkLnlqYdswxoWo6buvhDw/KrB9ToXJEso6qdoYkCTcl2JDUdLlFBQFX
2eyVOyZx2Xaz7jZ5XGTXPlykRdZBAeLvZ3uo7DtijFAN4Se/JVzltTy/zPISrNTR
sypDdZaNxpFXj466zAew6PBNX4ajnxbvzaFIotrhcIOh8K3//eL7ticDv21nqk04
ijya+n0WoTc=
=et2x
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9v19+NLKJtyKPYoAQj1xg/8CtqLd9P5mlxXnZT8uEi+q59Bac17gyci
HqiXxMRyJ/e6uMKKtScLSgQr83SWLHbwA55gjTZbZMgqmW3Ls+i4nhHzYc0nPyLV
THCZfK8/DwMGRxpDmh4CwQ6WCx2c2MgtfTBiPU5ZuhV1TnblaHzxOQznb15lf2TY
xBAYBNR8NIrfbzQkLH8CpOhMOazvQKAgF86xeLLFIHLzyJ8K2yVkdj4Qx2mBTPue
wObLRjoA1CEHIDHopH5GxA03AQ4gKTaQ2KrZImx4UohtZ1PMknpCxf5W93mWgrFP
qC6JgRIruJZoxKjaWLYnL1UjfwUqsacQ3U2zTb1tec5kezE1Y6O/+p8s0AevC4L7
1GSXB3ONoQ0Z8Hl5/sy9eMElwkbYpKv9xz5Gw1MpKkzJELkvuDyzxg9kEAQjguxL
/0xLQiEP57pNl4fKcIDFeLEbFqmxolqf34P0AEUCZj8N3ny/wt9ApOIBKY2JqRb5
388hJ9LWb6DlMkvG4WqyNQnSv+tOoTR7eoLIwQQo7/vJZYexjLC2wzY2mXWEftub
FTqHSA8xIG9iD1oGndDmP+T0ktqxiJJ0mpZ3vTuYP636yKGw9cGQ3vFkBzRWGV84
u+5S9QtltAsLxejl4Uo4JpVb8ZnAfG9p216vtAJPOHkkm+ars81RZ6rlxwaucWfe
4uqjZEGj6Ac=
=+5u9
-----END PGP SIGNATURE-----