Bug 2253308 (CVE-2023-6563)

Summary: CVE-2023-6563 keycloak: offline session token DoS
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: boliveir, chazlett, drichtar, mulliken, pdrozd, peholase, pjindal, pskopek, rowaters, security-response-team, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: keycloak 21.0.0 Doc Type: If docs needed, set a value
Doc Text:
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2253310    

Description Nick Tait 2023-12-06 18:47:17 UTC 
A vulnerability has been discovered in the way RH-SSO handles offline tokens, which can be exploited to cause a denial
of service via memory exhaustion. The issue is caused by the way how the server processes offline tokens.

An attacker can exploit this vulnerability by creating just two offline tokens. Once these tokens are created, the attacker can interact with the endpoint by triggering a list of the multiple sessions of the user. In environments where there could be potentially millions of offline tokens created by all users, this action leads to an excessive consumption of server memory.
Comment 6 errata-xmlrpc 2023-12-14 18:58:11 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:7855 https://access.redhat.com/errata/RHSA-2023:7855
Comment 7 errata-xmlrpc 2023-12-14 18:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:7856 https://access.redhat.com/errata/RHSA-2023:7856
Comment 8 errata-xmlrpc 2023-12-14 18:58:30 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:7854 https://access.redhat.com/errata/RHSA-2023:7854
Comment 9 errata-xmlrpc 2023-12-14 19:04:32 UTC 
This issue has been addressed in the following products:

  Single Sign-On 7.6.6

Via RHSA-2023:7858 https://access.redhat.com/errata/RHSA-2023:7858
Comment 10 errata-xmlrpc 2023-12-14 19:55:12 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:7857 https://access.redhat.com/errata/RHSA-2023:7857