CVE-2020-10758
First published: Thu Jun 04 2020(Updated: )
A flaw was found in Keycloak. This flaw allows an attacker to perform a denial of service attack by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body. The highest threat from this vulnerability is to system availability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/keycloak | <11.0.1 | 11.0.1 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el6 | 0:9.0.5-1.redhat_00001.1.el6 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el7 | 0:9.0.5-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:9.0.5-1.redhat_00001.1.el8 | 0:9.0.5-1.redhat_00001.1.el8 |
| Redhat Keycloak | <11.0.1 | |
| Redhat Openshift Application Runtimes | ||
| Redhat Openshift Application Runtimes | =1.0 | |
| Redhat Single Sign-on | ||
| Redhat Single Sign-on | =7.0 | |
| Redhat Single Sign-on | =7.4 |
Remedy
- The possibility of this issue largely depends on the environment, specifically the load balancer or reverse proxies between the client and the server. The issue occurs when there is no load balancer in place. - Proper tuning of HTTP request timeout and keycloak database max pool size can mitigate this issue : bin/jboss-cli.sh --connect --commands='/subsystem=transactions:write-attribute(name=default-timeout,value=30),/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=read-timeout,value=30000),/subsystem=undertow/server=default-server/https-listener=https/:write-attribute(name=read-timeout,value=30000),/subsystem=datasources/data-source=KeycloakDS/:write-attribute(name=max-pool-size,value=100),reload'
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1843849
- https://github.com/keycloak/keycloak/commit/bee4ca89897766c4b68856eafe14f1a3dad34251
- https://issues.redhat.com/browse/KEYCLOAK-14363
- https://access.redhat.com/errata/RHSA-2020:3495
- https://access.redhat.com/errata/RHSA-2020:3496
- https://access.redhat.com/errata/RHSA-2020:3497
- https://access.redhat.com/errata/RHSA-2020:3501
- https://access.redhat.com/security/cve/cve-2020-10758
- https://access.redhat.com/errata/RHSA-2020:3539
- https://www.cve.org/CVERecord?id=CVE-2020-10758 https://nvd.nist.gov/vuln/detail/CVE-2020-10758
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID of this flaw in Keycloak?
The vulnerability ID of this flaw in Keycloak is CVE-2020-10758.
What is the impact of the CVE-2020-10758 vulnerability?
The highest threat from the CVE-2020-10758 vulnerability is to system availability.
How can an attacker exploit the CVE-2020-10758 vulnerability?
An attacker can exploit the CVE-2020-10758 vulnerability by sending multiple simultaneous requests with a Content-Length header value greater than the actual byte count of the request body.
Which versions of Keycloak are affected by CVE-2020-10758?
Versions prior to 11.0.1 of Keycloak are affected by CVE-2020-10758.
How do I fix the CVE-2020-10758 vulnerability in Keycloak?
To fix the CVE-2020-10758 vulnerability in Keycloak, you should update your Keycloak installation to version 11.0.1 or higher.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-10758
- agent/software-canonical-lookup
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/redhat
- canonical/redhat keycloak
- canonical/redhat openshift application runtimes
- version/redhat openshift application runtimes/1.0
- canonical/redhat single sign-on
- version/redhat single sign-on/7.0
- version/redhat single sign-on/7.4