-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Low: RH-SSO 7.3.4 adapters for Enterprise Application Platform 7.2 security update
Advisory ID:       RHSA-2019:3049-01
Product:           Red Hat JBoss Enterprise Application Platform
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3049
Issue date:        2019-10-14
CVE Names:         CVE-2019-14820 
====================================================================
1. Summary:

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBoss
Enterprise Application Platform 7.2

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss EAP 7.2 for RHEL 6 Server - noarch
Red Hat JBoss EAP 7.2 for RHEL 7 Server - noarch
Red Hat JBoss EAP 7.2 for RHEL 8 - noarch

3. Description:

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.

These packages provide security updates to adapters for use with Red Hat
Single Sign-On 7.3.4 for Red Hat JBoss Enterprise Application Platform 7.2.

Security Fix(es):

* keycloak: adapter endpoints are exposed via arbitrary URLs
(CVE-2019-14820)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

6. JIRA issues fixed (https://issues.redhat.com/):

JBEAP-17585 - Tracker bug for the RH-SSO 7.3.4 adapters release for Red Hat JBoss Enterprise Application Platform 7

7. Package List:

Red Hat JBoss EAP 7.2 for RHEL 6 Server:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm

Red Hat JBoss EAP 7.2 for RHEL 7 Server:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm

Red Hat JBoss EAP 7.2 for RHEL 8:

Source:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.src.rpm

noarch:
eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm
eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2019-14820
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

9. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXaS/2tzjgjWX9erEAQjn7A/9Fu3urKuT+ApleK7u3+3g/mIw/S+hgdNt
FvOufYF/tyhyeUGKAk8hEfQjB8G5pJ4UbG0ZXsagBM6pwXyQ62odXLCqFiCo69IT
WLu7b7ROKnxlzLq/xb1zFlt0L7tDdBjY//+fbO51SFuoUffZYV22KjLA8s+/eT32
oZnq+95eSy7ckYA1hYzKgCiAFV4qoqpExdpHC6G4E3zop9r6RklbEdjc6Nl9LxzD
x1gEc6Mh3JwJvk8HSBNUvHjDzBFAmTpoL1FeAFng/UGBAKjjnCVGM1MlOKl2rXLt
G4fK6GWl3smtyRTrDt1gQ7z9/lF8+84FrRoxF8ToDWI0z6id24l0uUh1s2wHjA3h
97J+tIszOSma1Knawg3+ImimjCYTeXlVkzViCg05Q7U2xhPBdc+J4Hn/AYCTAqSD
AEprIzTL+1jGtm7pI3iTBAKDCjg0kAjJaCPtmpOYdlm7/WYF0mDTq8LGeQtEssUC
AvqhTzzzmXDpLydAmKEoBVL0pmFZ5Hjasg6VnEQQzeSw+Za9hG7eRjoUSr47OHIV
+CAgmw4KltH7zd1e27Ln3oxJplbflZzUQ0Ce65jycvk061Xf8tiqnNHzimUGiR17
SrLPyz3vnhfrrpGHQPWL8HY1MCayb29jOstEiz/teJmXU2nFPNjY0RVPlRekVjFY
DhZ4ha2E0pU=FUUN
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2019-3049:01 Low: RH-SSO 7.3.4 adapters for Enterprise

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBoss Enterprise Application Platform 7.2 Red Hat Product Security has rated this update as having a security im...

Summary

Red Hat Single Sign-On 7.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
These packages provide security updates to adapters for use with Red Hat Single Sign-On 7.3.4 for Red Hat JBoss Enterprise Application Platform 7.2.
Security Fix(es):
* keycloak: adapter endpoints are exposed via arbitrary URLs (CVE-2019-14820)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2019-14820 https://access.redhat.com/security/updates/classification/#low https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/

Package List

Red Hat JBoss EAP 7.2 for RHEL 6 Server:
Source: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.src.rpm
noarch: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el6eap.noarch.rpm
Red Hat JBoss EAP 7.2 for RHEL 7 Server:
Source: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.src.rpm
noarch: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el7eap.noarch.rpm
Red Hat JBoss EAP 7.2 for RHEL 8:
Source: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.src.rpm
noarch: eap7-keycloak-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm eap7-keycloak-saml-adapter-sso7_3-4.8.13-1.Final_redhat_00001.1.el8eap.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2019:3049-01
Product: Red Hat JBoss Enterprise Application Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3049
Issued Date: : 2019-10-14
CVE Names: CVE-2019-14820

Topic

Red Hat Single Sign-On 7.3.4 adapters are now available for Red Hat JBossEnterprise Application Platform 7.2Red Hat Product Security has rated this update as having a security impactof Low. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat JBoss EAP 7.2 for RHEL 6 Server - noarch

Red Hat JBoss EAP 7.2 for RHEL 7 Server - noarch

Red Hat JBoss EAP 7.2 for RHEL 8 - noarch


Bugs Fixed

1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs

6. JIRA issues fixed (https://issues.redhat.com/):

JBEAP-17585 - Tracker bug for the RH-SSO 7.3.4 adapters release for Red Hat JBoss Enterprise Application Platform 7


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved