{ "threat_severity" : "Important", "public_date" : "2023-12-14T00:00:00Z", "bugzilla" : { "description" : "keycloak: offline session token DoS", "id" : "2253308", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2253308" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-770", "details" : [ "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.", "An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the \"consents\" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system." ], "statement" : "While this vulnerability can enable complete compromise of system availability, it is not possible to be triggered in every environment. The impact is rated as Important due to several preconditions (number of users and how many sessions each user has) which are beyond an attacker's control.", "affected_release" : [ { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7854", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7856", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7855", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.11-2.redhat_00003.1.el9sso" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7857", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-38" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7857", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso7-rhel8-operator-bundle:7.6.6-2" }, { "product_name" : "Single Sign-On 7.6.6", "release_date" : "2023-12-14T00:00:00Z", "advisory" : "RHSA-2023:7858", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6.6", "package" : "rh-sso7-keycloak" } ], "package_state" : [ { "product_name" : "Red Hat Build of Keycloak", "fix_state" : "Not affected", "package_name" : "keycloak-core", "cpe" : "cpe:/a:redhat:build_keycloak:" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-6563\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-6563\nhttps://github.com/keycloak/keycloak/issues/13340" ], "name" : "CVE-2023-6563", "mitigation" : { "value" : "There are three main options to prevent exploitation:\n1) If you are using a reverse proxy, block the consents URL.\n2) This option is less effective: remove the consents application tab from the account console theme.\n3) This option has a significant negative impact on end users: entirely disable offline user profiles.", "lang" : "en:us" }, "csaw" : false }