Bug 2141404 (CVE-2022-3916) - CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens
Summary: CVE-2022-3916 keycloak: Session takeover with OIDC offline refreshtokens
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-3916
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2141102
TreeView+ depends on / blocked
 
Reported: 2022-11-09 18:06 UTC by Patrick Del Bello
Modified: 2023-09-14 14:34 UTC (History)
7 users (show)

Fixed In Version: keycloak 20.0.2
Doc Type: ---
Doc Text:
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.
Clone Of:
Environment:
Last Closed: 2022-12-14 10:19:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:8961 0 None None None 2022-12-13 14:00:30 UTC
Red Hat Product Errata RHSA-2022:8962 0 None None None 2022-12-13 14:00:46 UTC
Red Hat Product Errata RHSA-2022:8963 0 None None None 2022-12-13 14:01:01 UTC
Red Hat Product Errata RHSA-2022:8964 0 None None None 2022-12-13 15:30:33 UTC
Red Hat Product Errata RHSA-2022:8965 0 None None None 2022-12-13 14:05:10 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:44 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:11 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:48:38 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:51:24 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:59:40 UTC

Description Patrick Del Bello 2022-11-09 18:06:51 UTC 
An issue was discovered in Keycloak when using a client with the offline_access scope. Reuse of session ids across root and user authentication sessions and a lack of root session validation enabled attackers to resolve a user session attached to a different previously authenticated user.

This issue most affects users of shared computers. Suppose a user logs out of their account (without clearing their cookies) in a mobile app or similar client that includes the offline_access scope, and another user authenticates to the application. In that case, it will share the same root session id, and when utilizing the refresh token, they will be issued a token for the original user.
Comment 2 errata-xmlrpc 2022-12-13 14:00:29 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8961
Comment 3 errata-xmlrpc 2022-12-13 14:00:45 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8962
Comment 4 errata-xmlrpc 2022-12-13 14:00:59 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8963
Comment 5 errata-xmlrpc 2022-12-13 14:05:08 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6.1

Via RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2022:8965
Comment 6 errata-xmlrpc 2022-12-13 15:30:31 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8964
Comment 7 Product Security DevOps Team 2022-12-14 10:19:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3916
Comment 8 errata-xmlrpc 2023-03-01 21:43:42 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 9 errata-xmlrpc 2023-03-01 21:46:09 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 10 errata-xmlrpc 2023-03-01 21:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 11 errata-xmlrpc 2023-03-01 21:51:22 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 12 errata-xmlrpc 2023-03-01 21:59:38 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Note You need to log in before you can comment on or make changes to this bug.