#VU84615 Resource exhaustion in Keycloak
Vulnerability identifier: #VU84615
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Keycloak
Server applications /
Directory software, identity management
Vendor:
Description
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper control over internal resources in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). A remote user can create two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://access.redhat.com/security/cve/CVE-2023-6563
http://bugzilla.redhat.com/show_bug.cgi?id=2253308
http://github.com/keycloak/keycloak/issues/13340
http://access.redhat.com/errata/RHSA-2023:7854
http://access.redhat.com/errata/RHSA-2023:7855
http://access.redhat.com/errata/RHSA-2023:7856
http://access.redhat.com/errata/RHSA-2023:7857
http://access.redhat.com/errata/RHSA-2023:7858
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
