Red Hat Security Advisory: Red Hat Single Sign-On 7.4.2 security update
🔗 CVE IDs covered (15)
📋 Description
CVE-2020-1710 — EAP: field-name is not parsed in accordance to RFC7230 CVE-2020-1728 — keycloak: security headers missing on REST endpoints CVE-2020-1748 — Wildfly: Improper authorization issue in WildFlySecurityManager when using alternative protection domain CVE-2020-10672 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10673 — jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution CVE-2020-10683 — dom4j: XML External Entity vulnerability in default SAX parser CVE-2020-10687 — Undertow: Incomplete fix for CVE-2017-2666 due to permitting invalid characters in HTTP requests CVE-2020-10693 — hibernate-validator: Improper input validation in the interpolation of constraint error messages CVE-2020-10714 — wildfly-elytron: session fixation when using FORM authentication CVE-2020-10718 — wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API CVE-2020-10740 — wildfly: unsafe deserialization in Wildfly Enterprise Java Beans CVE-2020-10758 — keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body CVE-2020-11612 — netty: compression/decompression codecs don't enforce limits on buffer allocation sizes CVE-2020-14297 — wildfly: Some EJB transaction objects may get accumulated causing Denial of Service CVE-2020-14307 — wildfly: EJB SessionOpenInvocations may not be removed properly after a response is received causing Denial of Service
🔗 References (19)
- selfhttps://access.redhat.com/errata/RHSA-2020:3501
- externalhttps://access.redhat.com/security/updates/classification/#important
- externalhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=core.service.rhsso&downloadType=securityPatches&version=7.4
- externalhttps://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.4/
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1694235
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1785049
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1793970
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1800585
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1805501
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1807707
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815470
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1815495
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1816216
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1825714
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1828476
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1834512
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1843849
- externalhttps://bugzilla.redhat.com/show_bug.cgi?id=1851327
- selfhttps://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3501.json