Bug 2182196 (CVE-2023-1664)

Summary: CVE-2023-1664 keycloak: Untrusted Certificate Validation
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, anstephe, ataylor, avibelli, bbuckingham, bcourt, bgeorges, boliveir, chazlett, clement.escoffier, dandread, dkreling, drichtar, ehelms, eric.wittmann, fjansen, gmalinko, gsmet, hamadhan, janstey, jmartisk, jpavlik, jross, jsherril, lthon, lzap, max.andersen, mhulan, myarboro, nmoumoul, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, pgallagh, pjindal, probinso, pskopek, rchan, rkieley, rowaters, rruss, rsvoboda, sbiarozk, sdouglas, sthorger, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak-core 21.1.2 Doc Type: ---
Doc Text:
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability, but consumer applications Integrity or Confidentiality. Considering the environment is correctly set, this flaw is avoidable by configuring the server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-27 23:30:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2155676    

Description Patrick Del Bello 2023-03-27 20:50:10 UTC 
A flaw was found in keycloak-core. This flaw considers the scenario when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A user may be able to choose, if directly connect to keycloak (not passing via reverse proxy) a specific certificate. If there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE the authenticator allows even with the "Cannot validate client certificate trust: Truststore not
available" message as there's no certificate to trust against.
Comment 4 errata-xmlrpc 2023-06-27 18:49:28 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
Comment 5 errata-xmlrpc 2023-06-27 18:49:36 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
Comment 6 errata-xmlrpc 2023-06-27 18:49:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
Comment 7 errata-xmlrpc 2023-06-27 18:49:52 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
Comment 8 errata-xmlrpc 2023-06-27 18:53:50 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
Comment 9 Product Security DevOps Team 2023-06-27 23:30:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1664
Comment 10 errata-xmlrpc 2023-10-05 22:37:32 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.11.2

Via RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491