(RHSA-2020:0951) Important: Red Hat Single Sign-On 7.3.7 security update

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.3.7 serves as a replacement for Red Hat Single Sign-On 7.3.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

• libthrift: thrift: Endless loop when feed with specific input data (CVE-2019-0205)

• libthrift: thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol (CVE-2019-0210)

• commons-beanutils: apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default (CVE-2019-10086)

• xmlsec: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source (CVE-2019-12400)

• JBoss EAP: Vault system property security attribute value is revealed on CLI ‘reload’ command (CVE-2019-14885)

• wildfly: The ‘enabled-protocols’ value in legacy security is not respected if OpenSSL security provider is in use (CVE-2019-14887)

• jackson-databind: lacks certain net.sf.ehcache blocking (CVE-2019-20330)

• netty: HTTP request smuggling (CVE-2019-20444)

• netty: HttpObjectDecoder.java allows Content-Length header to accompanied by second Content-Length header (CVE-2019-20445)

• netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)

• keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP (CVE-2020-1744)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.