[jira] [Updated] (DATALAB-2934) Upgrade prod Keycloak

["Vira Vitanska (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/DATALAB-2934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vira Vitanska updated DATALAB-2934:
-----------------------------------
    Description: 
*Threat / Description:*
Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

 

Affected Versions:
Keycloak versions prior to 13.0.0

QID Detection Logic:
This detection sends a specially-crafted GET request with request_uri parameter where vulnerable servers will make a DNS query that will trigger the Qualys Periscope detection mechanism.

 
*Impact:*
Successful exploitation of this vulnerability may allow an remote attacker could exploit this vulnerability to execute a Blind SSRF attack by measuring the response time to perform a port scan of the target server or internally accessible hosts.

 
*Solution:*
Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version or later

 

  was:
*Threat / Description:*
Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

 

Affected Versions:
Keycloak versions prior to 13.0.0

QID Detection Logic:
This detection sends a specially-crafted GET request with request_uri parameter where vulnerable servers will make a DNS query that will trigger the Qualys Periscope detection mechanism.

 
*Impact:*
Successful exploitation of this vulnerability may allow an remote attacker could exploit this vulnerability to execute a Blind SSRF attack by measuring the response time to perform a port scan of the target server or internally accessible hosts.

 
*Solution:*
Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version or later
----
KeyCloak is updated to v.18.0.1, but during log in/out black rectangle shows up on DataLab WEB UI. Please, investigate who is responsible for it.  An who is in charge is supposed to get rid of this rectangle.


> Upgrade prod Keycloak 
> ----------------------
>
>                 Key: DATALAB-2934
>                 URL: https://issues.apache.org/jira/browse/DATALAB-2934
>             Project: Apache DataLab
>          Issue Type: Task
>      Security Level: Public(Regular Issues) 
>          Components: DataLab Main
>            Reporter: Vira Vitanska
>            Assignee: Oleksandr Polishchuk
>            Priority: Critical
>              Labels: AWS, DevOps
>   Original Estimate: 0.5m
>  Remaining Estimate: 0.5m
>
> *Threat / Description:*
> Keycloak is an open source Identity and Access Management solution targeted towards modern applications and services. A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
>  
> Affected Versions:
> Keycloak versions prior to 13.0.0
> QID Detection Logic:
> This detection sends a specially-crafted GET request with request_uri parameter where vulnerable servers will make a DNS query that will trigger the Qualys Periscope detection mechanism.
>  
> *Impact:*
> Successful exploitation of this vulnerability may allow an remote attacker could exploit this vulnerability to execute a Blind SSRF attack by measuring the response time to perform a port scan of the target server or internally accessible hosts.
>  
> *Solution:*
> Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version or later
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@datalab.apache.org
For additional commands, e-mail: dev-help@datalab.apache.org