Bug 1849584 (CVE-2020-14302)

Summary: CVE-2020-14302 keycloak: reusable "state" parameter at redirect_uri endpoint enables possibility of replay attacks
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, avibelli, bgeorges, chazlett, cmoulliard, dkreling, drieden, etirelli, ggaughan, gmalinko, ibek, ikanello, janstey, jbalunas, jochrist, jpallich, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pdrozd, pgallagh, pjindal, rrajasek, rruss, rsynek, sdaley, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/KEYCLOAK-14539
Whiteboard:
Fixed In Version: keycloak 13.0.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak, where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-23 17:35:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1848547    

Description Paramvir jindal 2020-06-22 10:28:08 UTC 
Beside its core functionality as Identity Provider, Keycloak implements the OIDC Service Provider part of the specification for the _identity brokerage_ feature.
 In doing so, Keycloak provides dedicated _redirect_uris_ for each configured OIDC IdP: [https://keycloak.local/auth/realms/]{realm}}/broker/\{alias}/endpoint

The _redirect_uri_ endpoint does not invalidate "state" values if they are redeemed multiple times. As a result, multiple request to this endpoint including one valid "state" value result in request to the IdPs Token Endpoint being initiated by Keycloak.

Jira: https://issues.redhat.com/browse/KEYCLOAK-14483
Comment 1 Paramvir jindal 2020-06-22 10:28:25 UTC 
Acknowledgments:

Name: Lauritz Holtmann (@_lauritz_) (Chair for Network and Data Security at Ruhr University Bochum)
Comment 3 Paramvir jindal 2020-06-22 12:23:28 UTC 
RHSSO 7.4 is affected by this.
Comment 6 errata-xmlrpc 2021-03-23 13:58:54 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 7

Via RHSA-2021:0968 https://access.redhat.com/errata/RHSA-2021:0968
Comment 7 errata-xmlrpc 2021-03-23 13:59:36 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 6

Via RHSA-2021:0967 https://access.redhat.com/errata/RHSA-2021:0967
Comment 8 errata-xmlrpc 2021-03-23 14:08:45 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4 for RHEL 8

Via RHSA-2021:0969 https://access.redhat.com/errata/RHSA-2021:0969
Comment 9 errata-xmlrpc 2021-03-23 14:17:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.6

Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974
Comment 10 Product Security DevOps Team 2021-03-23 17:35:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14302