Red Hat Single Sign-On 7.6.4 security update on RHEL 7
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2022-4361 CVE-2023-1108 CVE-2023-1664 CVE-2023-2422 CVE-2023-2585 |
| CWE-ID | CWE-79 CWE-835 CWE-295 CWE-290 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
rh-sso7-keycloak (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU77750
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-4361
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists in the SAML or OIDC providers in Keycloak due to insufficient sanitization of user-supplied data passed via the AssertionConsumerServiceURL value or the redirect_uri. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
rh-sso7-keycloak (Red Hat package): before 18.0.8-1.redhat_00001.1.el7sso
External linkshttp://access.redhat.com/errata/RHSA-2023:3883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Infinite loop
EUVDB-ID: #VU73219
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-1108
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop caused by an unexpected handshake status updated in SslConduit. A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall updates from vendor's website.
rh-sso7-keycloak (Red Hat package): before 18.0.8-1.redhat_00001.1.el7sso
External linkshttp://access.redhat.com/errata/RHSA-2023:3883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper Certificate Validation
EUVDB-ID: #VU77752
Risk: Medium
CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-1664
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass client certificate validation.
The vulnerability exists due to improper certificate validation when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A remote attacker with ability to directly connect to Keycloak (e.g. not via the reverse proxy) can bypass certificate validation and gain unauthorized access to the application.
Successful exploitation of the vulnerability requires that there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE, which results in accepting any certificate with the logging information of "Cannot validate client certificate trust: Truststore not available".
MitigationInstall updates from vendor's website.
rh-sso7-keycloak (Red Hat package): before 18.0.8-1.redhat_00001.1.el7sso
External linkshttp://access.redhat.com/errata/RHSA-2023:3883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper certificate validation
EUVDB-ID: #VU77766
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-2422
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass authorization process.
The vulnerability exists due to improper certificate validation chain when a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients. A remote user that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.
MitigationInstall updates from vendor's website.
rh-sso7-keycloak (Red Hat package): before 18.0.8-1.redhat_00001.1.el7sso
External linkshttp://access.redhat.com/errata/RHSA-2023:3883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Authentication Bypass by Spoofing
EUVDB-ID: #VU77767
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-2585
CWE-ID:
CWE-290 - Authentication Bypass by Spoofing
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error within the Keycloak Device Authorisation Grant. A remote attacker can spoof parts of the device flow and use a device_code to retrieve an access token for other OAuth clients.
MitigationInstall updates from vendor's website.
rh-sso7-keycloak (Red Hat package): before 18.0.8-1.redhat_00001.1.el7sso
External linkshttp://access.redhat.com/errata/RHSA-2023:3883
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
