RHSA-2024:1865 - Security Advisory

Topic

Red Hat Single Sign-On 7.6.8 Operator enhancement and security update.

This is an enhancement and security update with Low impact rating and
package name 'rh-sso7-keycloak'. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Description

Red Hat Single Sign-On 7.6.8 Operator for OpenShift
simplifies deployment and management of Single-Sign-On 7.6.8 clusters. The
Operator is supported on Red Hat OpenShift Container Platform 4.9.

Security Fix(es):

• Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

Solution

To install the Red Hat Single Sign-On Operator, use the Operator Marketplace
interface in OpenShift Container Platform.

Affected Products

• Red Hat OpenShift Container Platform 4.12 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform 4.11 for RHEL 8 x86_64
• Red Hat OpenShift Container Platform for Power 4.10 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.10 for RHEL 8 s390x
• Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x

Fixes

• BZ - 2248423 - CVE-2023-6484 keycloak: Log Injection during WebAuthn authentication or registration

CVEs

• CVE-2021-43618
• CVE-2023-6484
• CVE-2023-28322
• CVE-2023-38546
• CVE-2023-46218

References

• https://access.redhat.com/security/updates/classification/#low