SB2019120404 - Multiple vulnerabilities in Red Hat Single Sign-On 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019120404

SB2019120404 - Multiple vulnerabilities in Red Hat Single Sign-On

Published: December 4, 2019

Security Bulletin ID SB2019120404
Severity
Medium
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper Authorization (CVE-ID: CVE-2019-14843)

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to improper authorization checks in WidlFly security manager, when running under JDK 11 or 8, that successfully authorizes requests for any requesters . A locally deployed application on the server can gain access to sensitive information.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-14838)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to wildfly-core allows unnecessary write permissions for management users with Monitor, Auditor and Deployer roles. A remote authenticated user can modify server runtime state and escalate privileges within the application.


3) Information disclosure (CVE-ID: CVE-2019-14837)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to unspecified error in keycloak. A remote attacker can gain unauthorized access to sensitive information on the system.


4) Resource exhaustion (CVE-ID: CVE-2019-9514)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.



5) Resource management error (CVE-ID: CVE-2019-9515)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of  SETTINGS frames to the peer and consume excessive CPU and memory on the system.


6) Resource exhaustion (CVE-ID: CVE-2019-9512)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.



Remediation

Install update from vendor's website.

References