Bug 1730227 (CVE-2019-14837)
Summary: | CVE-2019-14837 keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | unspecified | CC: | aboyko, aileenc, avibelli, bgeorges, cbyrne, chazlett, cmacedo, cmoulliard, dffrench, dkreling, drieden, drusso, ggaughan, ikanello, janstey, jbalunas, jmadigan, jochrist, jpadman, jpallich, jshepherd, jwon, krathod, lthon, mszynkie, ngough, pdrozd, pgallagh, pjindal, psampaio, pwright, rruss, security-response-team, sthorger, trepel, trogers | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: |
A flaw was found in Keycloak. The use of an open hard-coded domain can allow an unauthorized login by setting up a mail server and resetting the user credentials, enabling information disclosure.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-12-02 19:04:55 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1730228 | ||||||
Attachments: |
|
Description
Marian Rehak
2019-07-16 09:01:30 UTC
The version of Keycloak used in Red Hat Mobile Application Platform did not have the Service Account feature. It was added in version 1.4, see: https://planet.jboss.org/post/service_accounts_support_in_keycloak please refer to these screen shot attach to replicate this. Created attachment 1614803 [details]
Series of screenshots
Steps to reproduce : - Create an application and deploy it on JBoss EAP with authentication mechanism as BASIC and secure it with RHSSO. - Register this application this as a RHSSO client (confidential client) with service account enabled (shown in the screen shot attached). - Setup email server and email verification in RHSSO Realm. (shown in the screen shot attached). - I have also attached screen shot of my local JDBC client showing the USER_ENTITY table from H2 database. Observe the default email ID created of service accounts.(shown in the screen shot attached) - Just to be sure that RHSSO indeed send password reset emails, change the default email ID with the one you have access to. - Now access your application URL and click on "forget password". - Enter the user name as "service-account-<client-id>" and click submit. (shown in the screen shot attached) - You will get the password reset email on your email ID.(shown in the screen shot attached) - Now reset the password and login again with the new password. Acknowledgments: Name: Vadim Ashikhman Mitigation: It is not a very straight forward workaround but it is possible to mitigate this by manually editing the default Email ID (service_account_name) to some valid email ID (abc) in the USER_ENTITY table in the RHSSO database used. This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14837 |