Depending on the webserver configuration, a malicious user can supply an expired certificate and it would be accepted by Keycloak direct-grant authenticator. This is because Keycloak does not trigger the appropriate timestamp validation. X509 Direct Grant: https://github.com/keycloak/keycloak/blob/4f330f4a57cbfcf6202b60546518261c66e59a35/services/src/main/java/org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.java#L74-L76 It would seem like PR https://github.com/keycloak/keycloak/pull/6330 missed a spot in adding the validateTimestamps call. https://issues.redhat.com/browse/KEYCLOAK-16450
Acknowledgments: Name: Luca Leonardo Scorcia
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 7 Via RHSA-2021:3528 https://access.redhat.com/errata/RHSA-2021:3528
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 8 Via RHSA-2021:3529 https://access.redhat.com/errata/RHSA-2021:3529
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4 for RHEL 6 Via RHSA-2021:3527 https://access.redhat.com/errata/RHSA-2021:3527
This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.9 Via RHSA-2021:3534 https://access.redhat.com/errata/RHSA-2021:3534
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-35509