CVE-2023-6563
7.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Summary
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Single Sign-On 7.6 for RHEL 7 | 0:18.0.11-2.redhat_00003.1.el7sso < * | unaffected |
| Red Hat | Red Hat Single Sign-On 7.6 for RHEL 8 | 0:18.0.11-2.redhat_00003.1.el8sso < * | unaffected |
| Red Hat | Red Hat Single Sign-On 7.6 for RHEL 9 | 0:18.0.11-2.redhat_00003.1.el9sso < * | unaffected |
| Red Hat | RHEL-8 based Middleware Containers | 7.6-38 < * | unaffected |
| Red Hat | RHEL-8 based Middleware Containers | 7.6.6-2 < * | unaffected |
Weaknesses
- CWE-770: Allocation of Resources Without Limits or Throttling
Workarounds
There are three main options to prevent exploitation:
- If you are using a reverse proxy, block the consents URL.
- This option is less effective: remove the consents application tab from the account console theme.
- This option has a significant negative impact on end users: entirely disable offline user profiles.
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2023:7854
- https://access.redhat.com/errata/RHSA-2023:7855
- https://access.redhat.com/errata/RHSA-2023:7856
- https://access.redhat.com/errata/RHSA-2023:7857
- https://access.redhat.com/errata/RHSA-2023:7858
- https://access.redhat.com/security/cve/CVE-2023-6563
- https://bugzilla.redhat.com/show_bug.cgi?id=2253308
- https://github.com/keycloak/keycloak/issues/13340
References
- https://access.redhat.com/errata/RHSA-2023:7854
- https://access.redhat.com/errata/RHSA-2023:7855
- https://access.redhat.com/errata/RHSA-2023:7856
- https://access.redhat.com/errata/RHSA-2023:7857
- https://access.redhat.com/errata/RHSA-2023:7858
- https://access.redhat.com/security/cve/CVE-2023-6563
- https://bugzilla.redhat.com/show_bug.cgi?id=2253308
- https://github.com/keycloak/keycloak/issues/13340
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.