CVE-2023-6563: Keycloak: offline session token dos
First published: Wed Dec 06 2023(Updated: )
A vulnerability has been discovered in the way RH-SSO handles offline tokens, which can be exploited to cause a denial of service via memory exhaustion. The issue is caused by the way how the server processes offline tokens. An attacker can exploit this vulnerability by creating just two offline tokens. Once these tokens are created, the attacker can interact with the endpoint by triggering a list of the multiple sessions of the user. In environments where there could be potentially millions of offline tokens created by all users, this action leads to an excessive consumption of server memory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.keycloak:keycloak-model-jpa | <21.0.0 | 21.0.0 |
| redhat/keycloak | <21.0.0 | 21.0.0 |
| Red Hat Keycloak | <21.0.0 | |
| All of | ||
| redhat single sign-on | =7.6 | |
| Any of | ||
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| redhat single sign-on | ||
| All of | ||
| Any of | ||
| redhat openshift container platform | =4.11 | |
| redhat openshift container platform | =4.12 | |
| Red Hat Enterprise Linux | =8.0 | |
| All of | ||
| Any of | ||
| Red Hat OpenShift Container Platform for Power | =4.9 | |
| Red Hat OpenShift Container Platform for Power | =4.10 | |
| Red Hat Enterprise Linux | =8.0 | |
| All of | ||
| Any of | ||
| Red Hat OpenShift Container Platform for IBM LinuxONE | =4.9 | |
| Red Hat OpenShift Container Platform for IBM LinuxONE | =4.10 | |
| Red Hat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:7854
- https://access.redhat.com/errata/RHSA-2023:7855
- https://access.redhat.com/errata/RHSA-2023:7856
- https://access.redhat.com/errata/RHSA-2023:7857
- https://access.redhat.com/errata/RHSA-2023:7858
- https://access.redhat.com/security/cve/CVE-2023-6563
- https://bugzilla.redhat.com/show_bug.cgi?id=2253308
- https://github.com/keycloak/keycloak/issues/13340
- https://nvd.nist.gov/vuln/detail/CVE-2023-6563
- https://github.com/keycloak/keycloak/pull/15463
- https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
- https://github.com/advisories/GHSA-54f3-c6hg-865h (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-6563?
CVE-2023-6563 is classified as a high-severity vulnerability due to its potential for causing denial of service through memory exhaustion.
How do I fix CVE-2023-6563?
To mitigate CVE-2023-6563, upgrade to the fixed versions, specifically keycloak and keycloak-model-jpa at version 21.0.0 or higher.
What products are affected by CVE-2023-6563?
CVE-2023-6563 affects Red Hat Single Sign-On versions up to 7.6 and Keycloak versions up to 21.0.0.
Can CVE-2023-6563 be exploited remotely?
Yes, CVE-2023-6563 can be exploited remotely if an attacker sends crafted requests targeting offline tokens.
What impact does CVE-2023-6563 have on my system?
Exploitation of CVE-2023-6563 may lead to a denial of service, causing system instability and performance degradation.
- collector/github-advisory-latest
- alias/GHSA-54f3-c6hg-865h
- alias/CVE-2023-6563
- collector/github-advisory
- agent/references
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/weakness
- agent/title
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/event
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- package-manager/redhat
- vendor/redhat
- canonical/red hat keycloak
- canonical/redhat single sign-on
- version/redhat single sign-on/7.6
- canonical/red hat enterprise linux
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.11
- version/redhat openshift container platform/4.12
- canonical/red hat openshift container platform for power
- version/red hat openshift container platform for power/4.9
- version/red hat openshift container platform for power/4.10
- canonical/red hat openshift container platform for ibm linuxone
- version/red hat openshift container platform for ibm linuxone/4.9
- version/red hat openshift container platform for ibm linuxone/4.10