(RHSA-2024:1867) Moderate: Red Hat build of Keycloak 22.0.10 enhancement and security update

Red Hat build of Keycloak 22.0.10 is an integrated solution, available as a Red Hat JBoss Middleware for OpenShift containerized image, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security Fix(es):

• Authorization Bypass (CVE-2023-6544)
• XSS via assertion consumer service URL in SAML POST-binding flow (CVE-2023-6717)
• path transversal in redirection validation (CVE-2024-1132)
• unvalidated cross-origin messages in checkLoginIframe leads to DDoS (CVE-2024-1249)
• path traversal in the redirect validation (CVE-2024-2419)
• secondary factor bypass in step-up authentication (CVE-2023-3597)
• impersonation via logout token exchange (CVE-2023-0657)
• session hijacking via re-authentication (CVE-2023-6787)
• keycloak-rhel9-operator-bundle-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484)
• keycloak-rhel9-operator-container: Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

This erratum releases a bug update and enhancement images for Red Hat build of Keycloak 22.0.10 for use within the OpenShift Container Platform 4.12, 4.13, 4.14 and 4.15 cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.