DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body. https://issues.redhat.com/browse/KEYCLOAK-14363
Acknowledgments: Name: Matt Hamilton (Soluble.ai)
Mitigation: - The possibility of this issue largely depends on the environment, specifically the load balancer or reverse proxies between the client and the server. The issue occurs when there is no load balancer in place. - Proper tuning of HTTP request timeout and keycloak database max pool size can mitigate this issue : bin/jboss-cli.sh --connect --commands='/subsystem=transactions:write-attribute(name=default-timeout,value=30),/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000),/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000),/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100),reload'
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:3495 https://access.redhat.com/errata/RHSA-2020:3495
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:3496 https://access.redhat.com/errata/RHSA-2020:3496
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:3497 https://access.redhat.com/errata/RHSA-2020:3497
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.2 Via RHSA-2020:3501 https://access.redhat.com/errata/RHSA-2020:3501
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10758
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:3539 https://access.redhat.com/errata/RHSA-2020:3539