Bug 1211784 (CVE-2023-1664)

Summary: VUL-0: CVE-2023-1664: keycloak: Untrusted Certificate Validation
Product: [openSUSE] openSUSE Distribution Reporter: Stoyan Manolov <stoyan.manolov>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: Leap 15.4   
Target Milestone: Leap 15.4   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/361499/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Stoyan Manolov 2023-05-29 03:04:27 UTC 
CVE-2023-1664

A flaw was found in Keycloak. This flaw depends on a non-default configuration
"Revalidate Client Certificate" to be enabled and the reverse proxy is not
validating the certificate before Keycloak. Using this method an attacker may
choose the certificate which will be validated by the server. If this happens
and the KC_SPI_TRUSTSTORE_FILE_FILE variable is missing/misconfigured, any
trustfile may be accepted with the logging information of "Cannot validate
client certificate trust: Truststore not available". This may not impact
availability as the attacker would have no access to the server, but consumer
applications Integrity or Confidentiality may be impacted considering a possible
access to them. Considering the environment is correctly set to use "Revalidate
Client Certificate" this flaw is avoidable.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-1664
https://bugzilla.redhat.com/show_bug.cgi?id=2182196&comment#0
https://bugzilla.redhat.com/show_bug.cgi?id=2182196
https://www.cve.org/CVERecord?id=CVE-2023-1664
Comment 1 Fridrich Strba 2024-04-02 15:30:43 UTC 
The package lives here https://build.opensuse.org/package/show/Java:binaries/keycloak and the version there is the repackaged 24.0.2 which is having this one fixed. I don't see it anywhere in backports, so most likely it is not there.
Reassigning to security to know what to do: close or not to close.