Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2392 Red Hat build of Keycloak 22.0.10 enhancement and security update 18 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat build of Keycloak 22.0.10 Publisher: Red Hat Operating System: Red Hat Resolution: Patch/Upgrade CVE Names: CVE-2023-0657 CVE-2023-3597 CVE-2023-6717 CVE-2023-6787 CVE-2024-2419 CVE-2023-6484 CVE-2023-6544 CVE-2024-1132 CVE-2024-1249 Original Bulletin: https://access.redhat.com/errata/RHSA-2024:1867 Comment: CVSS (Max): 8.1 CVE-2024-1132 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat build of Keycloak 22.0.10 enhancement and security update Advisory ID: RHSA-2024:1867 Product: Red Hat build of Keycloak 22 Advisory URL: https://access.redhat.com/errata/RHSA-2024:1867 Issue date: 2024-04-16 CVE Names: CVE-2023-0657 CVE-2023-3597 CVE-2023-6484 CVE-2023-6544 CVE-2023-6717 CVE-2023-6787 CVE-2024-1132 CVE-2024-1249 CVE-2024-2419 ===================================================================== 1. Summary: A bug update is now available for Red Hat build of Keycloak 22.0.10 images running on OpenShift Container Platform. This is an enhancement and security update with Moderate impact rating. 2. Relevant releases/architectures: Red Hat build of Keycloak 22 - amd64, ppc64le, s390x 3. Description: Red Hat build of Keycloak 22.0.10 is an integrated solution, available as a Red Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security Fix(es): * Authorization Bypass (CVE-2023-6544) * XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717) * path transversal in redirection validation (CVE-2024-1132) * unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249) * path traversal in the redirect validation (CVE-2024-2419) * secondary factor bypass in step-up authentication (CVE-2023-3597) * impersonation via logout token exchange (CVE-2023-0657) * session hijacking via re-authentication (CVE-2023-6787) * keycloak-rhel9-operator-bundle-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484) * keycloak-rhel9-operator-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484) This erratum releases a bug update and enhancement images for Red Hat build of Keycloak 22.0.10 for use within the OpenShift Container Platform 4.12, 4.13, 4.14 and 4.15 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2166728 - CVE-2023-0657 - keycloak: impersonation via logout token exchange 2221760 - CVE-2023-3597 - keycloak: secondary factor bypass in step-up authentication 2248423 - CVE-2023-6484 - keycloak: Log Injection during WebAuthn authentication or registration 2253116 - CVE-2023-6544 - keycloak: Authorization Bypass 2253952 - CVE-2023-6717 - keycloak: XSS via assertion consumer service URL in SAML POST-binding flow 2254375 - CVE-2023-6787 - keycloak: session hijacking via re-authentication 2262117 - CVE-2024-1132 - keycloak: path transversal in redirection validation 2262918 - CVE-2024-1249 - keycloak: org.keycloak.protocol.oidc: unvalidated cross-origin messages in checkLoginIframe leads to DDoS 2269371 - CVE-2024-2419 - keycloak: path traversal in the redirect validation 6. Package List: Red Hat build of Keycloak 22 9Base-RHBK-22:rhbk/keycloak-operator-bundle@sha256:a47cee9b95ed78d7895c2582772ab e3ccf239259ee3fbc2d7df8594450dc32f9_amd64: rhbk/keycloak-operator-bundle@sha256:a47cee9b95ed78d7895c2582772abe3ccf239259ee3 fbc2d7df8594450dc32f9_amd64.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:06aa39709dbbd870a14be493bdd452 243f700d2910072044ea0d7f8e4abe50b2_amd64: rhbk/keycloak-rhel9-operator@sha256:06aa39709dbbd870a14be493bdd452243f700d291007 2044ea0d7f8e4abe50b2_amd64.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:1f5fe6756a3767d1ca8cf3f79c9c14 054012f73977602af5c1fc6c5e224fac52_ppc64le: rhbk/keycloak-rhel9-operator@sha256:1f5fe6756a3767d1ca8cf3f79c9c14054012f7397760 2af5c1fc6c5e224fac52_ppc64le.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9-operator@sha256:be417b344db10adf963d1f64c94e2d 214e205489e03395dc508074d783e6422e_s390x: rhbk/keycloak-rhel9-operator@sha256:be417b344db10adf963d1f64c94e2d214e205489e033 95dc508074d783e6422e_s390x.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:20d135d4d422505497c9aa85afb6acb2d937819 1358632700e1ce0f259507583_s390x: rhbk/keycloak-rhel9@sha256:20d135d4d422505497c9aa85afb6acb2d9378191358632700e1ce 0f259507583_s390x.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:3787bdf294019d8a0f57f7d7e11da98522205de 2625c7f287a1d00e11a5b2d83_ppc64le: rhbk/keycloak-rhel9@sha256:3787bdf294019d8a0f57f7d7e11da98522205de2625c7f287a1d0 0e11a5b2d83_ppc64le.rpm 9Base-RHBK-22:rhbk/keycloak-rhel9@sha256:a462539eeff9638d642f13eb2dbc04a47cc3919 8a7f52d8b6eb07e1e14d783fd_amd64: rhbk/keycloak-rhel9@sha256:a462539eeff9638d642f13eb2dbc04a47cc39198a7f52d8b6eb07 e1e14d783fd_amd64.rpm 7. References: https://access.redhat.com/security/cve/CVE-2023-0657 https://access.redhat.com/security/cve/CVE-2023-3597 https://access.redhat.com/security/cve/CVE-2023-6484 https://access.redhat.com/security/cve/CVE-2023-6544 https://access.redhat.com/security/cve/CVE-2023-6717 https://access.redhat.com/security/cve/CVE-2023-6787 https://access.redhat.com/security/cve/CVE-2024-1132 https://access.redhat.com/security/cve/CVE-2024-1249 https://access.redhat.com/security/cve/CVE-2024-2419 https://access.redhat.com/security/updates/classification/#moderate - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================