RHSA-2024:6501 - Security Advisory

주제

New Red Hat build of Keycloak 22.0.12 packages are available from the Customer Portal. This is a security update with Moderate impact rating.

설명

Red Hat build of Keycloak 22.0.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat build of Keycloak 22.0.12 serves as a replacement for Red Hat Single Sign-On 7.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.

Security fixes:

• potential bypass of brute force protection (CVE-2024-4629)
• session fixation in elytron saml adapters (CVE-2024-7341)
• Leak of configured LDAP bind credentials through the Keycloak admin console (CVE-2024-5967)

솔루션

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

영향을 받는 제품

• Red Hat build of Keycloak Text-only Advisories x86_64

수정

• BZ - 2276761 - CVE-2024-4629 keycloak: potential bypass of brute force protection
• BZ - 2292200 - CVE-2024-5967 keycloak: Leak of configured LDAP bind credentials through the Keycloak admin console
• BZ - 2302064 - CVE-2024-7341 wildfly-elytron: org.keycloak/keycloak-services: session fixation in elytron saml adapters

CVE

• CVE-2024-4629
• CVE-2024-5967
• CVE-2024-7341

참조

• https://access.redhat.com/security/updates/classification/#moderate