Bug 2276761 (CVE-2024-4629)

Summary: CVE-2024-4629 keycloak: potential bypass of brute force protection
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, chazlett, darran.lofthouse, dkreling, dosoudil, drichtar, istudens, ivassile, iweiss, jkoops, mosmerov, msochure, mstefank, msvehla, mulliken, nwallace, pdrozd, peholase, pjindal, pmackay, pskopek, rmartinc, rowaters, rstancel, security-response-team, smaestri, sthorger, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Keycloak 24.0.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2276748    

Description Robb Gatica 2024-04-23 21:22:17 UTC
Summary:
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.

Requirements to exploit:
Keycloak configured with Brute Force Protection

Component affected: org.keycloak:keycloak-services (Authentication)

Version affected: <= 24.0.3

Comment 2 errata-xmlrpc 2024-09-09 15:58:19 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2024:6499 https://access.redhat.com/errata/RHSA-2024:6499

Comment 3 errata-xmlrpc 2024-09-09 15:58:41 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2024:6493 https://access.redhat.com/errata/RHSA-2024:6493

Comment 4 errata-xmlrpc 2024-09-09 16:00:14 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2024:6494 https://access.redhat.com/errata/RHSA-2024:6494

Comment 5 errata-xmlrpc 2024-09-09 16:01:59 UTC
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6501 https://access.redhat.com/errata/RHSA-2024:6501

Comment 6 errata-xmlrpc 2024-09-09 16:06:01 UTC
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2024:6500 https://access.redhat.com/errata/RHSA-2024:6500

Comment 7 errata-xmlrpc 2024-09-09 16:07:46 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2024:6495 https://access.redhat.com/errata/RHSA-2024:6495

Comment 8 errata-xmlrpc 2024-09-09 16:12:22 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:6497 https://access.redhat.com/errata/RHSA-2024:6497