Bug 1843849 (CVE-2020-10758)
| Summary: | CVE-2020-10758 keycloak: DoS by sending multiple simultaneous requests with a Content-Length header value greater than actual byte count of request body | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Paramvir jindal <pjindal> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, chazlett, cmoulliard, dkreling, drieden, etirelli, ggaughan, gmalinko, ibek, ikanello, janstey, jbalunas, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, paradhya, pdrozd, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | keycloak 11.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Keycloak. This flaw allows an attacker to perform a denial of service attack by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-18 21:15:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1843833 | ||
|
Description
Paramvir jindal
2020-06-04 10:01:08 UTC
Acknowledgments: Name: Matt Hamilton (Soluble.ai) Mitigation: - The possibility of this issue largely depends on the environment, specifically the load balancer or reverse proxies between the client and the server. The issue occurs when there is no load balancer in place. - Proper tuning of HTTP request timeout and keycloak database max pool size can mitigate this issue : bin/jboss-cli.sh --connect --commands='/subsystem=transactions:write-attribute(name=default-timeout,value=30),/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000),/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000),/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100),reload' This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2020:3495 https://access.redhat.com/errata/RHSA-2020:3495 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2020:3496 https://access.redhat.com/errata/RHSA-2020:3496 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2020:3497 https://access.redhat.com/errata/RHSA-2020:3497 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.2 Via RHSA-2020:3501 https://access.redhat.com/errata/RHSA-2020:3501 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10758 This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:3539 https://access.redhat.com/errata/RHSA-2020:3539 |