Bug 2182196 (CVE-2023-1664) - CVE-2023-1664 keycloak: Untrusted Certificate Validation
Summary: CVE-2023-1664 keycloak: Untrusted Certificate Validation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-1664
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2155676
TreeView+ depends on / blocked
 
Reported: 2023-03-27 20:50 UTC by Patrick Del Bello
Modified: 2024-04-17 17:33 UTC (History)
49 users (show)

Fixed In Version: keycloak-core 21.1.2
Doc Type: ---
Doc Text:
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of "Cannot validate client certificate trust: Truststore not available". This may not impact availability, but consumer applications Integrity or Confidentiality. Considering the environment is correctly set, this flaw is avoidable by configuring the server.
Clone Of:
Environment:
Last Closed: 2023-06-27 23:30:55 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:3883 0 None None None 2023-06-27 18:49:48 UTC
Red Hat Product Errata RHSA-2023:3884 0 None None None 2023-06-27 18:49:39 UTC
Red Hat Product Errata RHSA-2023:3885 0 None None None 2023-06-27 18:49:32 UTC
Red Hat Product Errata RHSA-2023:3888 0 None None None 2023-06-27 18:49:55 UTC
Red Hat Product Errata RHSA-2023:3892 0 None None None 2023-06-27 18:53:53 UTC
Red Hat Product Errata RHSA-2023:5491 0 None None None 2023-10-05 22:37:35 UTC

Description Patrick Del Bello 2023-03-27 20:50:10 UTC 
A flaw was found in keycloak-core. This flaw considers the scenario when using X509 Client Certificate Authenticatior with the option "Revalidate Client Certificate". A user may be able to choose, if directly connect to keycloak (not passing via reverse proxy) a specific certificate. If there's a configuration error in KC_SPI_TRUSTSTORE_FILE_FILE the authenticator allows even with the "Cannot validate client certificate trust: Truststore not
available" message as there's no certificate to trust against.
Comment 4 errata-xmlrpc 2023-06-27 18:49:28 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:3885 https://access.redhat.com/errata/RHSA-2023:3885
Comment 5 errata-xmlrpc 2023-06-27 18:49:36 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:3884 https://access.redhat.com/errata/RHSA-2023:3884
Comment 6 errata-xmlrpc 2023-06-27 18:49:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3883
Comment 7 errata-xmlrpc 2023-06-27 18:49:52 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:3888 https://access.redhat.com/errata/RHSA-2023:3888
Comment 8 errata-xmlrpc 2023-06-27 18:53:50 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:3892 https://access.redhat.com/errata/RHSA-2023:3892
Comment 9 Product Security DevOps Team 2023-06-27 23:30:50 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-1664
Comment 10 errata-xmlrpc 2023-10-05 22:37:32 UTC 
This issue has been addressed in the following products:

  AMQ Broker 7.11.2

Via RHSA-2023:5491 https://access.redhat.com/errata/RHSA-2023:5491
Note You need to log in before you can comment on or make changes to this bug.