Headline

RHSA-2022:0448: Red Hat Security Advisory: Red Hat Single Sign-On 7.5.1 security update on RHEL 8

New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2021-3859: undertow: client side invocation timeout raised when calling over HTTP2
CVE-2021-4104: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
CVE-2022-23302: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
CVE-2022-23305: log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
CVE-2022-23307: log4j: Unsafe deserialization flaw in Chainsaw log viewer

3 years ago

Red Hat Security Data

Open in Source

#sql #vulnerability #web #linux #red_hat #nodejs #js #java #kubernetes

Skip to navigation Skip to main content

Utilities

Subscriptions
Downloads
Containers
Support Cases

Red Hat Customer Portal

Infrastructure and Management

Red Hat Enterprise Linux
Red Hat Virtualization
Red Hat Identity Management
Red Hat Directory Server
Red Hat Certificate System
Red Hat Satellite
Red Hat Subscription Management
Red Hat Update Infrastructure
Red Hat Insights
Red Hat Ansible Automation Platform

Cloud Computing

Red Hat OpenShift
Red Hat CloudForms
Red Hat OpenStack Platform
Red Hat OpenShift Container Platform
Red Hat OpenShift Data Science
Red Hat OpenShift Online
Red Hat OpenShift Dedicated
Red Hat Advanced Cluster Security for Kubernetes
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Quay
Red Hat CodeReady Workspaces
Red Hat OpenShift Service on AWS

Storage

Red Hat Gluster Storage
Red Hat Hyperconverged Infrastructure
Red Hat Ceph Storage
Red Hat OpenShift Data Foundation

Runtimes

Red Hat Runtimes
Red Hat JBoss Enterprise Application Platform
Red Hat Data Grid
Red Hat JBoss Web Server
Red Hat Single Sign On
Red Hat support for Spring Boot
Red Hat build of Node.js
Red Hat build of Thorntail
Red Hat build of Eclipse Vert.x
Red Hat build of OpenJDK
Red Hat build of Quarkus
Red Hat CodeReady Studio

Integration and Automation

Red Hat Process Automation
Red Hat Process Automation Manager
Red Hat Decision Manager

All Products

Issued:

2022-02-07

Updated:

2022-02-07

RHSA-2022:0448 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat Single Sign-On 7.5.1 security update on RHEL 8

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

New Red Hat Single Sign-On 7.5.1 packages are now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat Single Sign-On 7.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

This release of Red Hat Single Sign-On 7.5.1 on RHEL 8 serves as a replacement for Red Hat Single Sign-On 7.5.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

undertow: client side invocation timeout raised when calling over HTTP and

HTTP2 (CVE-2021-3859)

log4j: Remote code execution in Log4j 1.x when application is configured to

use JMSSink (CVE-2022-23302)

log4j: SQL injection in Log4j 1.x when application is configured to use

JDBCAppender (CVE-2022-23305)

log4j: Unsafe deserialization flaw in Chainsaw log viewer (CVE-2022-23307)
log4j: Remote code execution in Log4j 1.x when application is configured to

use JMSAppender (CVE-2021-4104)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Single Sign-On 7.5 for RHEL 8 x86_64

Fixes

BZ - 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2
BZ - 2031667 - CVE-2021-4104 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
BZ - 2041949 - CVE-2022-23302 log4j: Remote code execution in Log4j 1.x when application is configured to use JMSSink
BZ - 2041959 - CVE-2022-23305 log4j: SQL injection in Log4j 1.x when application is configured to use JDBCAppender
BZ - 2041967 - CVE-2022-23307 log4j: Unsafe deserialization flaw in Chainsaw log viewer
CIAM-1976 - [CVE-2021-3859 (undertow)] RPMs for RH-SSO 7.5.1 ZIP distribution

CVEs