Bug 2010164 (CVE-2021-3856) - CVE-2021-3856 keycloak-services: ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader
Summary: CVE-2021-3856 keycloak-services: ClassLoaderTheme and ClasspathThemeResourceP...
Keywords:
Status: NEW
Alias: CVE-2021-3856
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2009712 2010282
TreeView+ depends on / blocked
 
Reported: 2021-10-04 05:21 UTC by Paramvir jindal
Modified: 2023-07-11 10:48 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Paramvir jindal 2021-10-04 05:21:20 UTC
https://issues.redhat.com/browse/KEYCLOAK-19422

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/theme/ClasspathThemeResourceProviderFactory.java

The ThemeResource resource exposes an endpoint for fetching theme resources:

@GET
@Path("/{version}/{themeType}/{themeName}/{path:.*}")
public Response getResource(@PathParam("version") String version, @PathParam("themeType") String themType, @PathParam("themeName") String themeName, @PathParam("path") String path) {
...
}

The classbased resource loaders are implemented as:

public InputStream getResourceAsStream(String path) {
    return classLoader.getResourceAsStream(resourceRoot + path);
}

This has no checks for the path parameter, allowing relative traversals like ../.

By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available.

I practice this exposes any files packages within the deployed module, including other resources available as a classloader resource.

Disallowing double dots in the path component is probably the easiest fix

Comment 2 Jonathan Christison 2021-10-04 17:43:36 UTC
This vulnerability is out of security support scope for the following products:
 
* Red Hat AMQ Online 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes and https://access.redhat.com/solutions/5941551 for more details.


Note You need to log in before you can comment on or make changes to this bug.