Bug 1484154 (CVE-2017-12160)

Summary: CVE-2017-12160 keycloak: resource privilege extension via access token in oauth
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdawidow, chazlett, dffrench, drieden, drusso, jmadigan, jshepherd, kpiwko, lgriffin, ngough, pdrozd, pwright, rrajasek, security-response-team, sthorger, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Keycloak 3.3.0.Final, Keycloak 3.4.0.Final Doc Type: Bug Fix
Doc Text:
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:55:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1484091    

Description Chess Hazlett 2017-08-22 20:58:25 UTC 
It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to grant himself continued permissions and possibly conduct further attacks.

Upstream issue:

https://issues.jboss.org/browse/KEYCLOAK-5280
Comment 1 Chess Hazlett 2017-10-17 16:14:42 UTC 
Acknowledgments:

Name: Bart Toersche (Simacan)
Comment 2 errata-xmlrpc 2017-10-17 19:42:58 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2017:2906 https://access.redhat.com/errata/RHSA-2017:2906
Comment 3 errata-xmlrpc 2017-10-17 19:53:57 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 6

Via RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2904
Comment 4 errata-xmlrpc 2017-10-17 19:54:29 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.1 for RHEL 7

Via RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2905