A vulnerability has been discovered in the way RH-SSO handles offline tokens, which can be exploited to cause a denial of service via memory exhaustion. The issue is caused by the way how the server processes offline tokens. An attacker can exploit this vulnerability by creating just two offline tokens. Once these tokens are created, the attacker can interact with the endpoint by triggering a list of the multiple sessions of the user. In environments where there could be potentially millions of offline tokens created by all users, this action leads to an excessive consumption of server memory.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:7855 https://access.redhat.com/errata/RHSA-2023:7855
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:7856 https://access.redhat.com/errata/RHSA-2023:7856
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:7854 https://access.redhat.com/errata/RHSA-2023:7854
This issue has been addressed in the following products: Single Sign-On 7.6.6 Via RHSA-2023:7858 https://access.redhat.com/errata/RHSA-2023:7858
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:7857 https://access.redhat.com/errata/RHSA-2023:7857