SB2025043010 - Multiple vulnerabilities in Keycloak

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper validation of certificate with host mismatch (CVE-ID: CVE-2025-3501)

The vulnerability allows a remote attacker to bypass implemented security restrictions. 

The vulnerability exists due to an error in org.keycloak.protocol.services package, when setting a verification policy to "ALL", which causes the application to skip trust store certificate verification. A remote attacker can perform MitM attack.

2) Protection Mechanism Failure (CVE-ID: CVE-2025-3910)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to an error in the org.keycloak.authorization package. A remote user can disable two factor authentication imposed by the application.

3) Resource management error (CVE-ID: CVE-2025-2559)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when caching JWT tokens. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely leading to denial of service.

Remediation

Install update from vendor's website.

References

• https://bugzilla.redhat.com/show_bug.cgi?id=2358834
• https://github.com/keycloak/keycloak/security/advisories/GHSA-hw58-3793-42gg
• https://bugzilla.redhat.com/show_bug.cgi?id=2361923
• https://github.com/keycloak/keycloak/security/advisories/GHSA-5jfq-x6xp-7rw2
• https://bugzilla.redhat.com/show_bug.cgi?id=2353868