Keycloak implented HMAC verification using a comparison method that does not operate in constant time. This potentially leaves the application open to timing attacks.
Acknowledgments: Name: Richard Kettelerij (Mindloops)
This issue has been addressed in the following products: Via RHSA-2017:0876 https://access.redhat.com/errata/RHSA-2017:0876
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 7 Via RHSA-2017:0873 https://access.redhat.com/errata/RHSA-2017:0873
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 6 Via RHSA-2017:0872 https://access.redhat.com/errata/RHSA-2017:0872