Keycloak 25.0.2 Update & Update java-17-openjdk to version 17.0.12.0.7 (MINDBREEZE31522)

ID: MINDBREEZE31522
Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 8.1 HIGH 
Status: Final 
First published: September 04, 2024 
CVEs: CVE-2024-2700 CVE-2024-1726 CVE-2024-21011 CVE-2024-21068 CVE-2024-21094 CVE-2024-1132 CVE-2024-1249 CVE-2024-2419 CVE-2024-3656 GHSA-69fp-7c8p-crjr CVE-2023-0657 GHSA-4vc8-pg5c-vg4x GHSA-cq42-vhv7-xr7p CVE-2023-3597 CVE-2023-6484 CVE-2023-6544 CVE-2023-6717 CVE-2023-6787 CVE-2024-21131 CVE-2024-21138 CVE-2024-21140 CVE-2024-21145 CVE-2024-21147 CVE-2024-29025 CVE-2024-1023  CVE-2024-1300 CVE-2024-29857 CVE-2024-30171 CVE-2024-30172 CVE-2024-21742 CVE-2024-1722 CVE-2024-5967 CVE-2024-34447 

Summary

  • CVE-2024-2700:    Quarkus captures local environment variables from the Quarkus namespace during the application's build
  • CVE-2024-1726:    Quarkus: potential DoS on JAX-RS endpoints
  • CVE-2024-1132:    Keycloak: Wildcards in "Valid Redirect URIs" can lead to bypassed validation checks
  • CVE-2024-1249:    Keycloak: Keycloak OIDC component allows unvalidated cross-origin messages, which allows DoS attacks
  • CVE-2024-2419:    Keycloak: Configured Allow Hosts can be bypassed (persumably through specifically encoded URLs)
  • CVE-2024-3656:    Keycloak: Admin API allows low privilege users to use administrative functions
  • CVE-2023-0657:    Keycloak: An authenticated attacker can exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
  • CVE-2023-3597:    Keycloak: allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication
  • CVE-2023-6484:    Keycloak: A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode
  • CVE-2023-6544:    Keycloak: This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized.
  • CVE-2023-6717:    Keycloak: A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk.
  • CVE-2023-6787:   Keycloak: Under specific situations with specific user actions, an active Keycloak session can be hijacked
  • GHSA-69fp-7c8p-crjr:    Keycloak: When Oauth PAR is used, client provided parameters are included in a plain text cookie
  • GHSA-4vc8-pg5c-vg4x:    Keycloak: Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user.
  • GHSA-cq42-vhv7-xr7p:    Keycloak: In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username.
  • CVE-2024-21131:    java-17-openjdk: potential UTF8 size overflow
  • CVE-2024-21011:    java-17-openjdk: long Exception message leading to crash
  • CVE-2024-21068:    java-17-openjdk: integer overflow in C1 compiler address generation
  • CVE-2024-21094:    java-17-openjdk: C2 compilation fails with "Exceeded _node_regs array
  • CVE-2024-21138:    java-17-openjdk: Excessive symbol length can lead to infinite loop
  • CVE-2024-21140:    java-17-openjdk: Range Check Elimination (RCE) pre-loop limit overflow
  • CVE-2024-21145:    java-17-openjdk: Out-of-bounds access in 2D image handling
  • CVE-2024-21147:    java-17-openjdk: RangeCheckElimination array index overflow
  • CVE-2024-29025:   netty-codec-http Allocation of Resources Without Limits or Throttling
  • CVE-2024-1023:     Vert.x HTTP client memory leak
  • CVE-2024-1300:     Vert.x HTTP server memory leak when a TCP server is configured with TLS and SNI support
  • CVE-2024-29857:    bouncy castle Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption
  • CVE-2024-30171:    Bouncy Castle Java TLS API and JSSE Provider Timing-based leakage may occur in RSA based handshakes
  • CVE-2024-30172:    Bouncy Castle Java Cryptography  infinite loop can occur via a crafted signature and public key.
  • CVE-2024-21742:    MIME4J library Improper input validation
  • CVE-2024-1722:     Keycloak -  block other accounts from logging
  • CVE-2024-5967:     Keycloak - LDAP leak domain credentials
  • CVE-2024-34447:   Bouncy Castle Java Cryptography APIs DNS poisoning. 

 

Hotfix Information 

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

  • Mindbreeze InSpire SaaS 24.5 Release
  • Mindbreeze InSpire 24.5 Release