Multiple CVEs on GraalVM SDK #11758
abstractj
announced in
Announcements
Replies: 1 comment
-
FYI @stianst |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
A few days ago, our vulnerability scanner reported 5 new CVEs in the Quarkus Operator SDK, a dependency used by the Keycloak Operator. Those CVEs are related to GraalVM, a transitive dependency part of Quarkus Operator.
After some internal research and validation by the Keycloak team, we identified that the Keycloak Operator is not susceptible to the vulnerabilities reported. We have been working with the Quarkus team to get it addressed in the Quarkus Operator SDK.
The Keycloak team will continue to monitor the situation with those CVEs, and keep an eye on the upcoming releases of the Quarkus Operator SDK. Please reach us out in the Keycloak Security mailing list for additional concerns.
GraalVM CVEs
All the vulnerabilities below apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. Those vulnerabilities can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
Additional resources
Beta Was this translation helpful? Give feedback.
All reactions