#VU84615 Resource exhaustion in Keycloak


Published: 2023-12-20

Vulnerability identifier: #VU84615

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6563

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Keycloak
Server applications / Directory software, identity management

Vendor:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper control over internal resources in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). A remote user can create two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions


External links
http://access.redhat.com/security/cve/CVE-2023-6563
http://bugzilla.redhat.com/show_bug.cgi?id=2253308
http://github.com/keycloak/keycloak/issues/13340
http://access.redhat.com/errata/RHSA-2023:7854
http://access.redhat.com/errata/RHSA-2023:7855
http://access.redhat.com/errata/RHSA-2023:7856
http://access.redhat.com/errata/RHSA-2023:7857
http://access.redhat.com/errata/RHSA-2023:7858


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability