CVE-2023-6563

Summary

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Single Sign-On 7.6 for RHEL 70:18.0.11-2.redhat_00003.1.el7sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 80:18.0.11-2.redhat_00003.1.el8sso < *unaffected
Red HatRed Hat Single Sign-On 7.6 for RHEL 90:18.0.11-2.redhat_00003.1.el9sso < *unaffected
Red HatRHEL-8 based Middleware Containers7.6-38 < *unaffected
Red HatRHEL-8 based Middleware Containers7.6.6-2 < *unaffected

Weaknesses

  • CWE-770: Allocation of Resources Without Limits or Throttling

Workarounds

There are three main options to prevent exploitation:

  1. If you are using a reverse proxy, block the consents URL.
  2. This option is less effective: remove the consents application tab from the account console theme.
  3. This option has a significant negative impact on end users: entirely disable offline user profiles.

ADP Enrichment

CVE Program Container

Additional References

References