{
  "threat_severity" : "Low",
  "public_date" : "2023-03-27T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: Untrusted Certificate Validation",
    "id" : "2182196",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2182196"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-295",
  "details" : [ "A flaw was found in Keycloak. This flaw depends on a non-default configuration \"Revalidate Client Certificate\" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of \"Cannot validate client certificate trust: Truststore not available\". This may not impact availability as the attacker would have no access to the server, but consumer applications Integrity or Confidentiality may be impacted considering a possible access to them. Considering the environment is correctly set to use \"Revalidate Client Certificate\" this flaw is avoidable.", "A flaw was found in Keycloak. This flaw depends on a non-default configuration \"Revalidate Client Certificate\" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated by the server. If this happens and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any trustfile may be accepted with the logging information of \"Cannot validate client certificate trust: Truststore not available\". \nThis may not impact availability, but consumer applications Integrity or Confidentiality. Considering the environment is correctly set, this flaw is avoidable by configuring the server." ],
  "statement" : "Red Hat Impact rated as a low impact considering there's a mitigation for this issue which would be consider the environment is correctly set with the truststore file. With these settings, the environment there's no evidence of attack possibility. Also it's possible to track under the server logs for more evidences.",
  "acknowledgement" : "Red Hat would like to thank Henrik Oehmke (adesso SE) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "AMQ Broker 7.11.2",
    "release_date" : "2023-10-05T00:00:00Z",
    "advisory" : "RHSA-2023:5491",
    "cpe" : "cpe:/a:redhat:amq_broker:7",
    "package" : "keycloak-core"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3892",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.4"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3883",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el7sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3884",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el8sso"
  }, {
    "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3885",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9",
    "package" : "rh-sso7-keycloak-0:18.0.8-1.redhat_00001.1.el9sso"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2023-06-27T00:00:00Z",
    "advisory" : "RHSA-2023:3888",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-24"
  } ],
  "package_state" : [ {
    "product_name" : "Migration Toolkit for Runtimes",
    "fix_state" : "Affected",
    "package_name" : "org.keycloak-keycloak-core",
    "cpe" : "cpe:/a:redhat:migration_toolkit_runtimes:1"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-core",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Fix deferred",
    "package_name" : "org.keycloak/keycloak-core",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "keycloak-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-httpd-client-install",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-1664\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-1664\nhttps://github.com/advisories/GHSA-5cc8-pgp5-7mpm" ],
  "name" : "CVE-2023-1664",
  "mitigation" : {
    "value" : "Make sure KC_SPI_TRUSTSTORE_FILE_FILE is correctly set and the logs are not reporting the \"Cannot validate client certificate trust: Truststore not available\" after an attempt to explore the vulnerability. Note this message may happen under other scenarios and reasons but the expected behavior would be that a non-valid certificate to pass.",
    "lang" : "en:us"
  },
  "csaw" : false
}