Описание
Keycloak TLS Client-Initiated Renegotiation Denial of Service
Keycloak is vulnerable to a Denial of Service (DoS) attack due to the default JDK setting that permits Client-Initiated Renegotiation in TLS 1.2. An unauthenticated remote attacker can repeatedly initiate TLS renegotiation requests to exhaust server CPU resources, making the service unavailable. Immediate mitigation is available by setting the -Djdk.tls.rejectClientInitiatedRenegotiation=true Java system property in the Keycloak startup configuration.
Ссылки
- https://github.com/keycloak/keycloak/security/advisories/GHSA-q8hq-4h99-fj7x
- https://nvd.nist.gov/vuln/detail/CVE-2025-11419
- https://access.redhat.com/errata/RHSA-2025:18254
- https://access.redhat.com/errata/RHSA-2025:18255
- https://access.redhat.com/errata/RHSA-2025:18889
- https://access.redhat.com/errata/RHSA-2025:18890
- https://access.redhat.com/security/cve/CVE-2025-11419
- https://bugzilla.redhat.com/show_bug.cgi?id=2402142
Пакеты
org.keycloak:keycloak-quarkus-dist
< 26.0.16
26.0.16
org.keycloak:keycloak-quarkus-dist
>= 26.1.0, < 26.2.10
26.2.10
org.keycloak:keycloak-quarkus-dist
>= 26.3.0, < 26.4.1
26.4.1
Связанные уязвимости
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
A flaw was found in Keycloak. This vulnerability allows an unauthentic ...