We would recommend updating affected versions to version 12.0.1. The flaw has been fixed, and there is no reason to stay on an outdated version.
A second flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
We would recommend updating affected versions to version 12.0.1. The flaw has been fixed, and there is no reason to stay on an outdated version.
A third vulnerability was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
We would recommend updating affected versions to version 12.0.1. The flaw has been fixed, and there is no reason to stay on an outdated version.
Keycloak Vulnerability Landscape
A keycloak vulnerability in versions 11.0.3 and 12.0.0 was found to have lead to the acceptance of an expired certificate by the direct-grant authenticator. This would allow attackers to impersonate the server, leading to data confidentiality and integrity threats. The highest threat from this vulnerability is to data confidentiality and integrity, with a medium risk of remote code execution.
A second keycloak vulnerability in versions 11.0.3 and 12.0.0 was found to have lead to the acceptance of an expired certificate by the direct-grant authenticator due to missing time stamp validations, which would allow attackers to impersonate the server and lead to data confidentiality and integrity threats that are higher than those created by version 1 vulnerability mentioned above; however, they are not as high as the version 2 vulnerability mentioned below because of this lack of remote code execution potentiality
What is Keycloak?
Keycloak is an open source identity and access management solution from the Eclipse Foundation. It integrates with your existing infrastructure to provide a federated authentication service, while also providing identity-based security.
Timeline
Published on: 08/23/2022 16:15:00 UTC
Last modified on: 08/26/2022 12:50:00 UTC