Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2392
Red Hat build of Keycloak 22.0.10 enhancement and security update
18 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat build of Keycloak 22.0.10
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-0657 CVE-2023-3597 CVE-2023-6717
CVE-2023-6787 CVE-2024-2419 CVE-2023-6484
CVE-2023-6544 CVE-2024-1132 CVE-2024-1249
Original Bulletin:
https://access.redhat.com/errata/RHSA-2024:1867
Comment: CVSS (Max): 8.1 CVE-2024-1132 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat build of Keycloak 22.0.10
enhancement and security update
Advisory ID: RHSA-2024:1867
Product: Red Hat build of Keycloak 22
Advisory URL: https://access.redhat.com/errata/RHSA-2024:1867
Issue date: 2024-04-16
CVE Names: CVE-2023-0657 CVE-2023-3597 CVE-2023-6484 CVE-2023-6544
CVE-2023-6717 CVE-2023-6787 CVE-2024-1132 CVE-2024-1249
CVE-2024-2419
=====================================================================
1. Summary:
A bug update is now available for Red Hat build of Keycloak 22.0.10 images
running on OpenShift Container Platform. This is an enhancement and security
update with Moderate impact rating.
2. Relevant releases/architectures:
Red Hat build of Keycloak 22 - amd64, ppc64le, s390x
3. Description:
Red Hat build of Keycloak 22.0.10 is an integrated solution, available as a Red
Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak
project, that provides authentication and standards-based single sign-on
capabilities for web and mobile applications.
Security Fix(es):
* Authorization Bypass (CVE-2023-6544)
* XSS via assertion consumer service URL in SAML POST-binding flow
(CVE-2023-6717)
* path transversal in redirection validation (CVE-2024-1132)
* unvalidated cross-origin messages in checkLoginIframe leads to DDoS
(CVE-2024-1249)
* path traversal in the redirect validation (CVE-2024-2419)
* secondary factor bypass in step-up authentication (CVE-2023-3597)
* impersonation via logout token exchange (CVE-2023-0657)
* session hijacking via re-authentication (CVE-2023-6787)
* keycloak-rhel9-operator-bundle-container: Log Injection during WebAuthn
authentication or registration (CVE-2023-6484)
* keycloak-rhel9-operator-container: Log Injection during WebAuthn
authentication or registration (CVE-2023-6484)
This erratum releases a bug update and enhancement images for Red Hat build of
Keycloak 22.0.10 for use within the OpenShift Container Platform 4.12, 4.13,
4.14 and 4.15 cloud computing Platform-as-a-Service (PaaS) for on-premise or
private cloud deployments, aligning with the standalone product release.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
2166728 - CVE-2023-0657 - keycloak: impersonation via logout token exchange
2221760 - CVE-2023-3597 - keycloak: secondary factor bypass in step-up
authentication
2248423 - CVE-2023-6484 - keycloak: Log Injection during WebAuthn authentication
or registration
2253116 - CVE-2023-6544 - keycloak: Authorization Bypass
2253952 - CVE-2023-6717 - keycloak: XSS via assertion consumer service URL in
SAML POST-binding flow
2254375 - CVE-2023-6787 - keycloak: session hijacking via re-authentication
2262117 - CVE-2024-1132 - keycloak: path transversal in redirection validation
2262918 - CVE-2024-1249 - keycloak: org.keycloak.protocol.oidc: unvalidated
cross-origin messages in checkLoginIframe leads to DDoS
2269371 - CVE-2024-2419 - keycloak: path traversal in the redirect validation
6. Package List:
Red Hat build of Keycloak 22
9Base-RHBK-22:rhbk/keycloak-operator-bundle@sha256:a47cee9b95ed78d7895c2582772ab
e3ccf239259ee3fbc2d7df8594450dc32f9_amd64:
rhbk/keycloak-operator-bundle@sha256:a47cee9b95ed78d7895c2582772abe3ccf239259ee3
fbc2d7df8594450dc32f9_amd64.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:06aa39709dbbd870a14be493bdd452
243f700d2910072044ea0d7f8e4abe50b2_amd64:
rhbk/keycloak-rhel9-operator@sha256:06aa39709dbbd870a14be493bdd452243f700d291007
2044ea0d7f8e4abe50b2_amd64.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:1f5fe6756a3767d1ca8cf3f79c9c14
054012f73977602af5c1fc6c5e224fac52_ppc64le:
rhbk/keycloak-rhel9-operator@sha256:1f5fe6756a3767d1ca8cf3f79c9c14054012f7397760
2af5c1fc6c5e224fac52_ppc64le.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:be417b344db10adf963d1f64c94e2d
214e205489e03395dc508074d783e6422e_s390x:
rhbk/keycloak-rhel9-operator@sha256:be417b344db10adf963d1f64c94e2d214e205489e033
95dc508074d783e6422e_s390x.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:20d135d4d422505497c9aa85afb6acb2d937819
1358632700e1ce0f259507583_s390x:
rhbk/keycloak-rhel9@sha256:20d135d4d422505497c9aa85afb6acb2d9378191358632700e1ce
0f259507583_s390x.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:3787bdf294019d8a0f57f7d7e11da98522205de
2625c7f287a1d00e11a5b2d83_ppc64le:
rhbk/keycloak-rhel9@sha256:3787bdf294019d8a0f57f7d7e11da98522205de2625c7f287a1d0
0e11a5b2d83_ppc64le.rpm
9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:a462539eeff9638d642f13eb2dbc04a47cc3919
8a7f52d8b6eb07e1e14d783fd_amd64:
rhbk/keycloak-rhel9@sha256:a462539eeff9638d642f13eb2dbc04a47cc39198a7f52d8b6eb07
e1e14d783fd_amd64.rpm
7. References:
https://access.redhat.com/security/cve/CVE-2023-0657
https://access.redhat.com/security/cve/CVE-2023-3597
https://access.redhat.com/security/cve/CVE-2023-6484
https://access.redhat.com/security/cve/CVE-2023-6544
https://access.redhat.com/security/cve/CVE-2023-6717
https://access.redhat.com/security/cve/CVE-2023-6787
https://access.redhat.com/security/cve/CVE-2024-1132
https://access.redhat.com/security/cve/CVE-2024-1249
https://access.redhat.com/security/cve/CVE-2024-2419
https://access.redhat.com/security/updates/classification/#moderate
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================