Bug 2358834 (CVE-2025-3501)

Summary: CVE-2025-3501 org.keycloak.protocol.services: Keycloak hostname verification
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aschwart, boliveir, drichtar, jkoops, mposolda, pdrozd, peholase, pesilva, pjindal, pskopek, rmartinc, rowaters, security-response-team, ssilvert, sthorger, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-05-01   

Description OSIDB Bzimport 2025-04-10 12:30:38 UTC 
Hostname verification issue that causes the trust store to trust all certificates. By setting the verification policy to 'ALL' not only the hostname check is skipped, but also the trust store certificate verification, which is an unintended side effect.
Comment 1 errata-xmlrpc 2025-04-29 22:53:28 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 22

Via RHSA-2025:4336 https://access.redhat.com/errata/RHSA-2025:4336
Comment 2 errata-xmlrpc 2025-04-29 23:03:21 UTC 
This issue has been addressed in the following products:

  Red Hat build of Keycloak 26.0

Via RHSA-2025:4335 https://access.redhat.com/errata/RHSA-2025:4335