Bug 2253308 (CVE-2023-6563) - CVE-2023-6563 keycloak: offline session token DoS
Summary: CVE-2023-6563 keycloak: offline session token DoS
Keywords:
Status: NEW
Alias: CVE-2023-6563
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2253310
TreeView+ depends on / blocked
 
Reported: 2023-12-06 18:47 UTC by Nick Tait
Modified: 2023-12-19 19:19 UTC (History)
11 users (show)

Fixed In Version: keycloak 21.0.0
Doc Type: If docs needed, set a value
Doc Text:
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:7854 0 None None None 2023-12-14 18:58:31 UTC
Red Hat Product Errata RHSA-2023:7855 0 None None None 2023-12-14 18:58:13 UTC
Red Hat Product Errata RHSA-2023:7856 0 None None None 2023-12-14 18:58:25 UTC
Red Hat Product Errata RHSA-2023:7857 0 None None None 2023-12-14 19:55:13 UTC
Red Hat Product Errata RHSA-2023:7858 0 None None None 2023-12-14 19:04:33 UTC

Description Nick Tait 2023-12-06 18:47:17 UTC 
A vulnerability has been discovered in the way RH-SSO handles offline tokens, which can be exploited to cause a denial
of service via memory exhaustion. The issue is caused by the way how the server processes offline tokens.

An attacker can exploit this vulnerability by creating just two offline tokens. Once these tokens are created, the attacker can interact with the endpoint by triggering a list of the multiple sessions of the user. In environments where there could be potentially millions of offline tokens created by all users, this action leads to an excessive consumption of server memory.
Comment 6 errata-xmlrpc 2023-12-14 18:58:11 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:7855 https://access.redhat.com/errata/RHSA-2023:7855
Comment 7 errata-xmlrpc 2023-12-14 18:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:7856 https://access.redhat.com/errata/RHSA-2023:7856
Comment 8 errata-xmlrpc 2023-12-14 18:58:30 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:7854 https://access.redhat.com/errata/RHSA-2023:7854
Comment 9 errata-xmlrpc 2023-12-14 19:04:32 UTC 
This issue has been addressed in the following products:

  Single Sign-On 7.6.6

Via RHSA-2023:7858 https://access.redhat.com/errata/RHSA-2023:7858
Comment 10 errata-xmlrpc 2023-12-14 19:55:12 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:7857 https://access.redhat.com/errata/RHSA-2023:7857
Note You need to log in before you can comment on or make changes to this bug.