CVE-2023-6563

Description

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the "consents" tab of the admin User Interface, the UI attempts to load a huge number of offline client sessions leading to excessive memory and CPU consumption which could potentially crash the entire system.

CVSS Metrics

• v3.1•HIGH•Score: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.54%• Percentile: 68%

Techniques & Countermeasures

• CWE-770•Allocation of Resources Without Limits or Throttling

  The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

• org.keycloak•keycloak-model-jpa

  < 21.0.0

• redhat•keycloak

  < 21.0.0

• redhat•openshift_container_platform

  4.11 | 4.12

• redhat•openshift_container_platform_for_ibm_linuxone

  4.9 | 4.10

• redhat•openshift_container_platform_for_power

  4.9 | 4.10

• redhat•single_sign-on

  7.6 | na

References (12)

• https://access.redhat.com/errata/RHSA-2023:7854
• https://access.redhat.com/errata/RHSA-2023:7855
• https://access.redhat.com/errata/RHSA-2023:7856
• https://access.redhat.com/errata/RHSA-2023:7857
• https://access.redhat.com/errata/RHSA-2023:7858
• https://access.redhat.com/security/cve/CVE-2023-6563
• https://bugzilla.redhat.com/show_bug.cgi?id=2253308
• https://github.com/keycloak/keycloak/issues/13340
• https://nvd.nist.gov/vuln/detail/CVE-2023-6563
• https://github.com/keycloak/keycloak/pull/15463
• https://github.com/keycloak/keycloak/commit/556146f961f7c8ddf64de15e2117a58d045f72b5
• https://github.com/keycloak/keycloak