rhsa-2025:8690
Vulnerability from csaf_redhat
Published
2025-06-09 13:57
Modified
2025-08-07 12:27
Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.5 Security Update

Notes

Topic
New Red Hat build of Keycloak 26.2.5 packages are available from the Customer Portal
Details
Red Hat build of Keycloak 26.2.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: * XStream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream (CVE-2024-47072) * Keycloak hostname verification (CVE-2025-3501)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat build of Keycloak 26.2.5 packages are available from the Customer Portal",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Keycloak 26.2.5 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* XStream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream (CVE-2024-47072)\n* Keycloak hostname verification (CVE-2025-3501)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:8690",
        "url": "https://access.redhat.com/errata/RHSA-2025:8690"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_8690.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.5 Security Update",
    "tracking": {
      "current_release_date": "2025-08-07T12:27:59+00:00",
      "generator": {
        "date": "2025-08-07T12:27:59+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.6"
        }
      },
      "id": "RHSA-2025:8690",
      "initial_release_date": "2025-06-09T13:57:15+00:00",
      "revision_history": [
        {
          "date": "2025-06-09T13:57:15+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-06-09T13:57:15+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-08-07T12:27:59+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Keycloak 26",
                "product": {
                  "name": "Red Hat build of Keycloak 26",
                  "product_id": "Red Hat build of Keycloak 26",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:build_keycloak:26"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47072",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2024-11-08T13:47:39.374198+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2324606"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the XStream library. A remote attacker may trigger a denial of service by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. This issue may lead to the termination of the application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability in XStream is considered an Important severity rather than Moderate because it exposes applications to a denial of service (DoS) attack with relative ease. By exploiting the flaw in the `BinaryStreamDriver`, an attacker can manipulate the binary input stream to trigger a stack overflow, which terminates the application unexpectedly. Unlike moderate vulnerabilities, which may require specific conditions or limited privileges, this flaw enables remote attackers to forcefully terminate services by crafting malicious input, impacting system availability. Additionally, the vulnerability\u2019s reliance on a common serialization mechanism elevates the risk, as it may affect applications across various environments and industries where XStream is deployed.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-47072"
        },
        {
          "category": "external",
          "summary": "RHBZ#2324606",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2324606"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-47072",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-47072"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-47072",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47072"
        },
        {
          "category": "external",
          "summary": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266",
          "url": "https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266"
        },
        {
          "category": "external",
          "summary": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q",
          "url": "https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q"
        },
        {
          "category": "external",
          "summary": "https://x-stream.github.io/CVE-2024-47072.html",
          "url": "https://x-stream.github.io/CVE-2024-47072.html"
        }
      ],
      "release_date": "2024-11-07T23:38:52.978000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-09T13:57:15+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:8690"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.thoughtworks.xstream: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream"
    },
    {
      "cve": "CVE-2025-3501",
      "cwe": {
        "id": "CWE-297",
        "name": "Improper Validation of Certificate with Host Mismatch"
      },
      "discovery_date": "2025-04-10T12:24:28.784000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2358834"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. By setting a verification policy to \u0027ALL\u0027, the trust store certificate verification is skipped, which is unintended.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.keycloak.protocol.services: Keycloak hostname verification",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat has rated this as an Important severity, although this configuration is not recommended, especially in production environments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-3501"
        },
        {
          "category": "external",
          "summary": "RHBZ#2358834",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358834"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-3501",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-3501"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3501"
        },
        {
          "category": "external",
          "summary": "https://github.com/keycloak/keycloak/issues/39350",
          "url": "https://github.com/keycloak/keycloak/issues/39350"
        },
        {
          "category": "external",
          "summary": "https://github.com/keycloak/keycloak/pull/39366",
          "url": "https://github.com/keycloak/keycloak/pull/39366"
        }
      ],
      "release_date": "2025-04-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-06-09T13:57:15+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:8690"
        },
        {
          "category": "workaround",
          "details": "Use the correct TLS configuration and avoid using \"--tls-hostname-verifier=any\".",
          "product_ids": [
            "Red Hat build of Keycloak 26"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.keycloak.protocol.services: Keycloak hostname verification"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.