Multiple vulnerabilities found in Keycloak image #19646
Comments
jenia90
added
the
kind/bug
che-bot
added
the
status/need-triage
tolusha
added
area/install
skabashnyuk
removed
the
status/need-triage
|
@skabashnyuk hey, I have a fix for most of the vulnerabilities found in this list. The fix is just raising the version of jboss/keycloak in the docker file. Is there anything special I should do before creating a PR? |
During or in parallel - up2you. The main thing - we should ensure that all installation methods (operator and helm) support smooth upgrade from the old version of keycloak to the new without extra manual steps. |
|
@tolusha |
|
I close this issue since it was opened for a previous keycloak version 6.0.1 |
Describe the bug
When my team and I tried to get the images into our private container registry the automatic vulnerability scan, which is part of the process, found the following list of vulnerabilities:
Name: CVE-2021-21344
CVSS Score v3: 9.8
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2019-14540
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2020-8840
CVSS Score v3: 9.8
Severity: critical
Description: FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-16942
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2021-21342
CVSS Score v3: 9.1
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2019-16943
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: RHSA-2019:2571
CVSS Score v3: 9.8
Severity: critical
Description: An update for pango is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Pango is a library for laying out and rendering of text, with an emphasis on internationalization. Pango forms the core of text and font handling for the GTK+ widget toolkit.
Security Fix(es): pango: pango_log2vis_get_embedding_levels() heap-based buffer overflow (CVE-2019-1010238)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
pango: pango_log2vis_get_embedding_levels() heap-based buffer overflow. Impacted Image File(s):
Name: CVE-2019-17531
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-20445
CVSS Score v3: 9.1
Severity: critical
Description: HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/io/netty/main/netty-all-4.1.29.Final.jar
Name: RHSA-2019:1587
CVSS Score v3: 9.8
Severity: critical
Description: An update for python is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
python: regression of CVE-2019-9636 due to functional fix to allow port numbers in netloc. Impacted Image File(s):
Name: CVE-2019-20444
CVSS Score v3: 9.1
Severity: critical
Description: HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold.". Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/io/netty/main/netty-all-4.1.29.Final.jar
Name: CVE-2013-7285
CVSS Score v3: 9.8
Severity: critical
Description: Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2019-3888
CVSS Score v3: 9.8
Severity: critical
Description: A vulnerability was found in Undertow web server before 2.0.21. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange). Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/io/undertow/core/main/undertow-core-2.0.19.Final.jar
Name: CVE-2020-10683
CVSS Score v3: 9.8
Severity: critical
Description: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/org/dom4j/main/dom4j-2.1.1.jar
Name: CVE-2020-1731
CVSS Score v3: 9.8
Severity: critical
Description: A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/org/keycloak/keycloak-core/main/keycloak-core-6.0.1.jar
Name: CVE-2019-16335
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-14893
CVSS Score v3: 9.8
Severity: critical
Description: A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as
enableDefaultTyping()or when @JsonTypeInfo is usingId.CLASSorId.MINIMAL_CLASSor in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jarName: CVE-2019-14892
CVSS Score v3: 9.8
Severity: critical
Description: A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2020-9546
CVSS Score v3: 9.8
Severity: critical
Description: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2021-21351
CVSS Score v3: 9.1
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2021-21350
CVSS Score v3: 9.8
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2020-9547
CVSS Score v3: 9.8
Severity: critical
Description: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-17267
CVSS Score v3: 9.8
Severity: critical
Description: A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-14379
CVSS Score v3: 9.8
Severity: critical
Description: SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2020-9548
CVSS Score v3: 9.8
Severity: critical
Description: FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-10158
CVSS Score v3: 9.8
Severity: critical
Description: A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring Session integration can result in incorrect session handling.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/org/infinispan/main/infinispan-core-9.4.8.Final.jar
Name: CVE-2019-20330
CVSS Score v3: 9.8
Severity: critical
Description: FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.9.8.jar
Name: CVE-2019-10212
CVSS Score v3: 9.8
Severity: critical
Description: A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user's credentials from the log files.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/io/undertow/core/main/undertow-core-2.0.19.Final.jar
Name: CVE-2019-14837
CVSS Score v3: 9.1
Severity: critical
Description: A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/org/keycloak/keycloak-services/main/keycloak-services-6.0.1.jar
Name: CVE-2019-3873
CVSS Score v3: 9
Severity: critical
Description: It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/org/picketlink/common/main/picketlink-common-2.5.5.SP12.jar
Name: CVE-2020-1745
CVSS Score v3: 9.8
Severity: critical
Description: A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/io/undertow/core/main/undertow-core-2.0.19.Final.jar
Name: CVE-2017-12629
CVSS Score v3: 9.8
Severity: critical
Description: Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/base/org/apache/lucene/main/lucene-core-5.5.5.jar
Name: CVE-2021-28834
CVSS Score v3: 9.8
Severity: critical
Description: Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.. Impacted Image File(s): /opt/jboss/keycloak/themes/keycloak/common/resources/node_modules/rcue
Name: CVE-2021-21347
CVSS Score v3: 9.8
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2021-21346
CVSS Score v3: 9.8
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
Name: CVE-2021-21345
CVSS Score v3: 9.9
Severity: critical
Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.. Impacted Image File(s): /opt/jboss/keycloak/modules/system/layers/keycloak/com/thoughtworks/xstream/main/xstream-1.4.10.jar
The text was updated successfully, but these errors were encountered: