Описание
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Отчет
While this vulnerability can enable complete compromise of system availability, it is not possible to be triggered in every environment. The impact is rated as Important due to several preconditions (number of users and how many sessions each user has) which are beyond an attacker's control.
Меры по смягчению последствий
There are three main options to prevent exploitation:
- If you are using a reverse proxy, block the consents URL.
- This option is less effective: remove the consents application tab from the account console theme.
- This option has a significant negative impact on end users: entirely disable offline user profiles.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | keycloak-core | Not affected | ||
| Red Hat Single Sign-On 7.6 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2023:7854 | 14.12.2023 |
| Red Hat Single Sign-On 7.6 for RHEL 8 | rh-sso7-keycloak | Fixed | RHSA-2023:7856 | 14.12.2023 |
| Red Hat Single Sign-On 7.6 for RHEL 9 | rh-sso7-keycloak | Fixed | RHSA-2023:7855 | 14.12.2023 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso76-openshift-rhel8 | Fixed | RHSA-2023:7857 | 14.12.2023 |
| RHEL-8 based Middleware Containers | rh-sso-7/sso7-rhel8-operator-bundle | Fixed | RHSA-2023:7857 | 14.12.2023 |
| Single Sign-On 7.6.6 | rh-sso7-keycloak | Fixed | RHSA-2023:7858 | 14.12.2023 |
Показывать по
Дополнительная информация
Статус:
7.7 High
CVSS3
Связанные уязвимости
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
An unconstrained memory consumption vulnerability was discovered in Ke ...
Allocation of Resources Without Limits in Keycloak
7.7 High
CVSS3