Red Hat Single Sign-On 7.6.11 for OpenShift includes fixes for two vulnerabilities: CVE-2024-8698, which involves improper verification of SAML responses in Keycloak that can lead to privilege escalation, and CVE-2024-8883, which involves vulnerable redirect URI validation resulting in an open redirect. These vulnerabilities affect the authentication server used within OpenShift containerized environments for centralized login and user account management. Red Hat has released a new container image version 7.6.11 that addresses these issues. The update is applicable to OpenShift Container Platform versions 3.10, 3.11, and 4.3 for on-premise or private cloud deployments. The vendor advisory includes explicit update instructions to deploy the fixed image. No CVSS score is provided, but the vulnerabilities are classified as high severity by Red Hat.

The improper verification of SAML responses (CVE-2024-8698) can allow an attacker to escalate privileges within the authentication system, potentially gaining unauthorized access or elevated rights. The vulnerable redirect URI validation (CVE-2024-8883) can lead to open redirect attacks, which may be leveraged for phishing or redirecting users to malicious sites. Both vulnerabilities impact the security of the authentication server in Red Hat Single Sign-On for OpenShift, potentially compromising user authentication and session integrity. No known exploits in the wild have been reported at the time of the advisory.

Red Hat has released an updated Red Hat Single Sign-On 7.6.11 image for OpenShift that addresses these vulnerabilities. Users should update to this latest image following the vendor-provided instructions, which include replacing the relevant OpenShift resources and importing the updated image streams. The update applies to OpenShift Container Platform versions 3.10, 3.11, and 4.3. Applying this update is the recommended remediation. Patch status is confirmed by the vendor advisory, and no additional mitigations are indicated.