CVE-2023-1664

Опубликовано: 27 мар. 2023

Источник: redhat

CVSS3: 6.5

Описание

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use "Revalidate Client Certificate" this flaw is avoidable.

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability, but consumer applications Integrity or Confidentiality. Considering the environment is correctly set, this flaw is avoidable by configuring the server.

Отчет

Red Hat Impact rated as a low impact considering there's a mitigation for this issue which would be consider the environment is correctly set with the truststore file. With these settings, the environment there's no evidence of attack possibility. Also it's possible to track under the server logs for more evidences.

Меры по смягчению последствий

Make sure KC_SPI_TRUSTSTORE_FILE_FILE is correctly set and the logs are not reporting the "Cannot validate client certificate trust: Truststore not available" after an attempt to explore the vulnerability. Note this message may happen under other scenarios and reasons but the expected behavior would be that a non-valid certificate to pass.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Migration Toolkit for Runtimes	org.keycloak-keycloak-core	Affected
Red Hat build of Apicurio Registry 2	keycloak-core	Fix deferred
Red Hat build of Quarkus	org.keycloak/keycloak-core	Fix deferred
Red Hat Fuse 7	keycloak-core	Fix deferred
Red Hat Satellite 6	keycloak-httpd-client-install	Not affected
AMQ Broker 7.11.2	keycloak-core	Fixed	RHSA-2023:5491	05.10.2023
Red Hat Single Sign-On 7		Fixed	RHSA-2023:3892	27.06.2023
Red Hat Single Sign-On 7.6 for RHEL 7	rh-sso7-keycloak	Fixed	RHSA-2023:3883	27.06.2023
Red Hat Single Sign-On 7.6 for RHEL 8	rh-sso7-keycloak	Fixed	RHSA-2023:3884	27.06.2023
Red Hat Single Sign-On 7.6 for RHEL 9	rh-sso7-keycloak	Fixed	RHSA-2023:3885	27.06.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=2182196keycloak: Untrusted Certificate Validation

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2023-1664

CVSS3: 6.5

nvd

больше 2 лет назад

CVE-2023-1664

CVSS3: 6.5

debian

больше 2 лет назад

A flaw was found in Keycloak. This flaw depends on a non-default confi ...

GHSA-5cc8-pgp5-7mpm

CVSS3: 6.5

github

больше 2 лет назад

Keycloak Untrusted Certificate Validation vulnerability

BDU:2023-05659

CVSS3: 6.5

fstec

больше 2 лет назад

Уязвимость программного средства для управления идентификацией и доступом Keycloak, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации

6.5 Medium

CVSS3