(RHSA-2019:1140) Important: Red Hat Single Sign-On 7.3.1 security update

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.1 serves as a replacement for Red Hat Single Sign-On 7.3.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• keycloak: session hijack using the user access token (CVE-2019-3868)

• jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis (CVE-2018-11307)

• jackson-databind: improper polymorphic deserialization of types from Jodd-db library (CVE-2018-12022)

• jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver (CVE-2018-12023)

• undertow: Infoleak in some circumstances where Undertow can serve data from a random buffer (CVE-2018-14642)

• jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

• jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)

• wildfly: Race condition on PID file allows for termination of arbitrary processes by local users (CVE-2019-3805)

• wildfly: wrong SecurityIdentity for EE concurrency threads that are reused (CVE-2019-3894)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.