Red Hat Product Errata RHSA-2023:7861 - Security Advisory
Issued:
2023-12-14
Updated:
2023-12-14

RHSA-2023:7861 - Security Advisory

Synopsis

Important: Red Hat build of Keycloak 22.0.7 images enhancement and security update

Type/Severity

Security Advisory: Important

Topic

A security update is now available for Red Hat build of Keycloak 22.0.7 images running on OpenShift Container Platform.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat build of Keycloak 22.0.7 is an integrated solution, available as a Red Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

This erratum releases a security update and enhancement images for Red Hat build of Keycloak 22.0.7 for use within the OpenShift Container Platform 4.12, 4.13 and 4.14 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.

Security Fix(es):

  • reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6291)
  • redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts (CVE-2023-6134)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat build of Keycloak Text-only Advisories x86_64

Fixes

  • BZ - 2249673 - CVE-2023-6134 keycloak: reflected XSS via wildcard in OIDC redirect_uri
  • BZ - 2251407 - CVE-2023-6291 keycloak: redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts

ppc64le

rhbk/keycloak-rhel9@sha256:cae4e2e48188b03a76a4e13e061e16cae7ee053bf32ec164ed140dce30c94cbf
rhbk/keycloak-rhel9-operator@sha256:b79c5a6857d87daedeb8bf90fd4df9f73a663c5dc1567a5855eeebc8776d8b04

s390x

rhbk/keycloak-rhel9@sha256:ff4d7fbeb78a227d9078acb131a0762f36df194f905f5c8f1434efe073355b92
rhbk/keycloak-rhel9-operator@sha256:96bdf3a2d1491a1cf26c0f8e46ff0b124d27f8ae67181b6e52faffc5cafd8837

x86_64

rhbk/keycloak-operator-bundle@sha256:95af3ba537cf925f0359d54c7cd6d1dc360c9f109dcdd79322e9eb981c9b1ec6
rhbk/keycloak-rhel9@sha256:ca08c57756107d6701bdc10590466a7ca7a42bf1bc7883e9df3d4b6b04800343
rhbk/keycloak-rhel9-operator@sha256:c27cc8e7d7afc40125624c250be2cbefc9589645df6890bef6b601bbcfd0a9d7

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.