Red Hat 9062 Published by

Updated rh-sso-7/sso76-openshift-rhel8 container and operator related images has been released.



RHSA-2022:8964-01: Important: updated rh-sso-7/sso76-openshift-rhel8 container and operator related images



=====================================================================
Red Hat Security Advisory

Synopsis: Important: updated rh-sso-7/sso76-openshift-rhel8 container and operator related images
Advisory ID: RHSA-2022:8964-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:8964
Issue date: 2022-12-13
CVE Names: CVE-2016-3709 CVE-2022-1304 CVE-2022-3782
CVE-2022-3916 CVE-2022-22624 CVE-2022-22628
CVE-2022-22629 CVE-2022-22662 CVE-2022-26700
CVE-2022-26709 CVE-2022-26710 CVE-2022-26716
CVE-2022-26717 CVE-2022-26719 CVE-2022-27404
CVE-2022-27405 CVE-2022-27406 CVE-2022-30293
CVE-2022-37434 CVE-2022-42898
=====================================================================

1. Summary:

Updated rh-sso-7/sso76-openshift-rhel8 container image and
rh-sso-7/sso7-rhel8-operator-bundle image is now available for RHEL-8 based
Middleware Containers.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

The rh-sso-7/sso76-openshift-rhel8 container image and
rh-sso-7/sso7-rhel8-operator operator has been updated for RHEL-8 based
Middleware Containers to address the following security issues.

Security Fix(es):

* keycloak: path traversal via double URL encoding (CVE-2022-3782)

* keycloak: Session takeover with OIDC offline refreshtokens
(CVE-2022-3916)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Users of rh-sso-7/sso76-openshift-rhel8 container images and
rh-sso-7/sso7-rhel8-operator operator are advised to upgrade to these
updated images, which contain backported patches to correct these security
issues, fix these bugs and add these enhancements. Users of these images
are also encouraged to rebuild all container images that depend on these
images.

You can find images updated by this advisory in Red Hat Container Catalog
(see References).

3. Solution:

The RHEL-8 based Middleware Containers container image provided by this
update can be downloaded from the Red Hat Container Registry at
registry.access.redhat.com. Installation instructions for your platform are
available at Red Hat Container Catalog (see References).

Dockerfiles and scripts should be amended either to refer to this new image
specifically, or to the latest image generally.

4. Bugs fixed (  https://bugzilla.redhat.com/):

2138971 - CVE-2022-3782 keycloak: path traversal via double URL encoding
2141404 - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens

5. JIRA issues fixed (  https://issues.jboss.org/):

CIAM-4412 - Build new OCP image for rh-sso-7/sso76-openshift-rhel8
CIAM-4413 - Generate new operator bundle image for this patch

6. References:

  https://access.redhat.com/security/cve/CVE-2016-3709
  https://access.redhat.com/security/cve/CVE-2022-1304
  https://access.redhat.com/security/cve/CVE-2022-3782
  https://access.redhat.com/security/cve/CVE-2022-3916
  https://access.redhat.com/security/cve/CVE-2022-22624
  https://access.redhat.com/security/cve/CVE-2022-22628
  https://access.redhat.com/security/cve/CVE-2022-22629
  https://access.redhat.com/security/cve/CVE-2022-22662
  https://access.redhat.com/security/cve/CVE-2022-26700
  https://access.redhat.com/security/cve/CVE-2022-26709
  https://access.redhat.com/security/cve/CVE-2022-26710
  https://access.redhat.com/security/cve/CVE-2022-26716
  https://access.redhat.com/security/cve/CVE-2022-26717
  https://access.redhat.com/security/cve/CVE-2022-26719
  https://access.redhat.com/security/cve/CVE-2022-27404
  https://access.redhat.com/security/cve/CVE-2022-27405
  https://access.redhat.com/security/cve/CVE-2022-27406
  https://access.redhat.com/security/cve/CVE-2022-30293
  https://access.redhat.com/security/cve/CVE-2022-37434
  https://access.redhat.com/security/cve/CVE-2022-42898
  https://catalog.redhat.com/software/containers/registry/registry.access.redhat.com/repository/rh-sso-7/sso76-openshift-rhel8
  https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.