Headline
CVE-2023-6134
A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.
Issued:
2023-12-14
Updated:
2023-12-14
RHSA-2023:7854 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: Red Hat Single Sign-On 7.6.6 security update on RHEL 7
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
This release of Red Hat Single Sign-On 7.6.6 on RHEL 7 serves as a replacement for Red Hat Single Sign-On 7.6.5, and includes bug fixes and enhancements.
Security Fix(es):
- keycloak: reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)
- keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)
- keycloak: offline session token DoS (CVE-2023-6563)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat Single Sign-On 7.6 for RHEL 7 x86_64
Fixes
- BZ - 2249673 - CVE-2023-6134 keycloak: reflected XSS via wildcard in OIDC redirect_uri
- BZ - 2251407 - CVE-2023-6291 keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts
- BZ - 2253308 - CVE-2023-6563 keycloak: offline session token DoS
Red Hat Single Sign-On 7.6 for RHEL 7
SRPM
rh-sso7-keycloak-18.0.11-2.redhat_00003.1.el7sso.src.rpm
SHA-256: ab9100a90952da5ec41b972b69c149a989dd8765cce78d6022692fa687e1b189
x86_64
rh-sso7-keycloak-18.0.11-2.redhat_00003.1.el7sso.noarch.rpm
SHA-256: 9fea3dac4f3695c34db3211edf8370414a2cd78ac1a64cd856af9e30da6c3c67
rh-sso7-keycloak-server-18.0.11-2.redhat_00003.1.el7sso.noarch.rpm
SHA-256: 364c7385de072f8d935feb9dac7db6ed6dceee3799685eea65a0ac36cbed2966
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Red Hat Security Advisory 2024-0804-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0801-03 - A new image is available for Red Hat Single Sign-On 7.6.7, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0800-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
Red Hat Security Advisory 2024-0799-03 - New Red Hat Single Sign-On 7.6.7 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and open redirection vulnerabilities.
An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. The problem arises in the verifyRedirectUri method, which attempts to enforce rules on user-controllable input, but essentially causes a desynchronization in how Keycloak and browsers interpret URLs. Keycloak, for example, receives "[www%2ekeycloak%2eorg%2fapp%2f:[email protected]](https://www%2ekeycloak%2eorg%2fapp%2f:[email protected]/)" and thinks the authority to be keycloak.org when it is actually example.com. This happens because the validation logic is performed on a URL decoded version, which no longer represents the original input. ### Acknowledgements Karel Knibbe
Keycloak prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This could permit an attacker to submit a specially crafted request leading to XSS or possibly further attacks.
Red Hat Security Advisory 2023-7861-03 - A security update is now available for Red Hat build of Keycloak 22.0.7 images running on OpenShift Container Platform. Issues addressed include bypass and cross site scripting vulnerabilities.
Red Hat Security Advisory 2023-7860-03 - Red Hat build of Keycloak 22.0.7 is now available from the Customer Portal. Issues addressed include bypass and cross site scripting vulnerabilities.
Red Hat Security Advisory 2023-7858-03 - A security update is now available for Red Hat Single Sign-On 7.6 from the Customer Portal. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-7857-03 - A new image is available for Red Hat Single Sign-On 7.6.6, running on OpenShift Container Platform 3.10 and 3.11, and 4.3. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-7856-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 8. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-7855-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 9. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-7854-03 - New Red Hat Single Sign-On 7.6.6 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.