-
Notifications
You must be signed in to change notification settings - Fork 7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-10039 Bypassing mTLS validation #35217
Comments
Closes keycloak#35217 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
This was an internally reported CVE, so there is no need to follow up with the reporter. |
…eycloak#35222) Closes keycloak#35217 Signed-off-by: Václav Muzikář <vmuzikar@redhat.com>
With the release of 26.0.6 I thought at first: Yeah has my 1,5 year old issue #17059 finally been solved in docs? If this issue gets a CVE at docs with missing security warning only, |
@psytester for reporting security issues please follow the instructions provided on our community page. These sorts of things should not be publicly disclosed. |
Sure! It's not that I would have skipped this step. Last year on 12. Jan 2023 I sent an e-mail to keycloak-security@googlegroups.com with subject and got a reply from Pedro Igor Silva @ Redhat
That's why I opened common public visible issue #17059 |
No! It is still open.
It can be closed as a duplicate of
#35217
We have also logged these follow-ups:
#35858 <#35858> and #35861
<#35861>
And are working towards adding NetworkPolicy support to the operator:
#35598
Or do you see a reason to leave 17059 open?
…On Fri, Dec 13, 2024 at 10:14 AM psytester ***@***.***> wrote:
Sure! It's not that I would have skipped this step.
Last year on 12. Jan 2023 I sent an e-mail to
***@***.***
I asked again on 25. Jan 2023
and got a reply from Pedro Igor Silva @ Redhat
Am 25.01.2023 um 13:02 schrieb Pedro Igor Silva:
Not sure if we have an issue here but improvements to docs? If understood
correctly, that is your understanding too.
The main point here, I think, is that you won't expose the server directly
but through a proxy.
We do not provide documentation for the different proxy implementations,
and I don't think we can do it. However, we can certainly improve docs as
you suggested and be more explicit about using a self-named header to
resolve the client certificate and chain.
We do provide a trust store to validate certificates as per
https://www.keycloak.org/server/keycloak-truststore. We can definitely
improve here because the trust store can also be used to revalidate the
certificate chain when executing mTLS authentication. We kinda have it
mentioned here [1] but not so clear.
[1] https://www.keycloak.org/docs/latest/server_admin/index.html#_x509
That's why I opened common public visible issue #17059
<#17059>
Not my fault
—
Reply to this email directly, view it on GitHub
<#35217 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAS4NFKXHPH5M3ZSBWS5KVD2FL2WXAVCNFSM6AAAAABSISNHTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBRGY3TGNBWGE>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
Issue here is somehow related to my, but not 100% same nor gives some clear advice.
#35861 is about trusted proxy. My setup is with one proxy in front, this is the trusted one and only. #35858 seems to be a mTLS between proxy and keycloak and not my setup with mTLS between external enduser and proxy. Did you read my blog post given in #17059 about tech details? |
Issue here is somehow related to my, but not 100% same nor gives some clear advice.
The issue / doc changes cover the considerations to secure the server
against an untrusted cert header value - whether through the proxy, or
accessing Keycloak directly via HTTP. How does that not cover your issue?
If you don't find the doc changes from
https://github.com/keycloak/keycloak/pull/35222/files clear, then it
would be best to repurpose your issue, or open a new one, and create a PR
with the changes you wish to see. That is unless you believe there is some
other new security concern in play here.
trusted proxy. My setup is with one proxy in front, this is the trusted one
and only.
Once this implemented and you set the proxy-trusted-addresses option, it
will no longer be possible to provide the cert header when not accessing
through the proxy.
mTLS between proxy and keycloak and not my setup with mTLS between external
enduser and proxy.
That is correct, it is only applicable to reencrypt scenarios.
Did you read my blog post given in #17059
<#17059> about tech details?
Yes
…On Fri, Dec 13, 2024 at 11:27 AM psytester ***@***.***> wrote:
Issue here is somehow related to my, but not 100% same nor gives some
clear advice.
Make sure that the proxy overwrites the header that is configured in
'spi-x509cert-lookup-<provider>-ssl-client-cert' option. ---> points
indirctly to same topic of injecting a header.
#35861 <#35861> is about
trusted proxy. My setup is with one proxy in front, this is the trusted one
and only.
#35858 <#35858> seems to be a
mTLS between proxy and keycloak and not my setup with mTLS between external
enduser and proxy.
Did you read my blog post given in #17059
<#17059> about tech details?
—
Reply to this email directly, view it on GitHub
<#35217 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAS4NFMXUUMXQXADZNRTXYD2FMDGLAVCNFSM6AAAAABSISNHTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBRHAYTCNJQGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
…e lookup Closes keycloak#17059 according to follow-up discussion in keycloak#35217 with additional layer of security in configuration Signed-off-by: psytester <psytester@quantentunnel.de>
ok |
Description
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.
The text was updated successfully, but these errors were encountered: