Keycloak Vulnerability
371 views
Skip to first unread message
Vinod Kumar
Jul 24, 2023, 6:51:10 AM7/24/23
to Keycloak User
Hi ,
We are running Keycloak Version 17 and there is vulnerability found with AngularJS version 1.x on our scan. We found that Keycloak is not using the Angular JS in its code, however, in themes, we found that 'Keycloak' theme particularly under 'common' folder is having Angular JS files.
Do you know can we remove that particular common folder from 'keycloak' theme with no impact?
Do you know can we remove that particular common folder from 'keycloak' theme with no impact?
Kind Regard
B Vinod
B Vinod
Jon Koops
Jul 24, 2023, 7:00:52 AM7/24/23
to Vinod Kumar, Keycloak User
That version of Keycloak is certainly using Angular JS for the Administration Console, so I doubt you can safely remove that. However, if you are running Keycloak 17, there are a LOT more severe vulnerabilities you should be worried about. I would highly recommend that you upgrade to the latest version of Keycloak if you want to remain secure. Alternatively, if you are looking to have a more stable platform that receives long term support and security updates, I would recommend that you look at our commercial platform Red Hat Single Sign-On, which is based on Keycloak.
--
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/c4ba70e0-d778-4135-82b4-95a9148edd38n%40googlegroups.com.
Vinod Kumar
Jul 24, 2023, 8:07:24 AM7/24/23
to Keycloak User
Hi Jon,
Thank you for your response.
I just checked RH SSO 7.6 which is latest and it is has the same 'keycloak' theme which is using the Angularjs 1.x. So it is considered as vulnerable right, I may be wrong.
Wildfly keycloak is marked as deprecated. To install the latest version of keycloak 22, I want to try Quarkus distribution. But there is no proper documentation on how to install & configure Keycloak with Quarkus distribution. Do you have one please?
Kind Regards
B Vinod Kumar
B Vinod Kumar
Jon Koops
Jul 24, 2023, 8:46:14 AM7/24/23
to Vinod Kumar, Keycloak User
> I just checked RH SSO 7.6 which is latest and it is has the same
'keycloak' theme which is using the Angularjs 1.x. So it is considered
as vulnerable right, I may be wrong.
Depends on what vulnerability you are referring to. As far as I am aware there are currently no exploitable vulnerabilities in Angular JS present in RH-SSO. This will also be resolved in the next version, which no longer depends on Angular JS.
> To install the latest version of keycloak 22, I want to try Quarkus distribution. But there is no proper documentation on how to install & configure Keycloak with Quarkus distribution. Do you have one please?
You can find the migration guide in this blog post.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/cca1369e-dc7b-4e1d-b49b-f35efa2d2729n%40googlegroups.com.
Vinod Kumar
Jul 26, 2023, 11:24:08 AM7/26/23
to Keycloak User
Hi Jon,
Hope you're doing good.
We are working on Keycloak upgrade to the latest version 22. We have been stuck in 2 areas.
1. we are able to start the keycloak with kc.sh start, however, we are receiving ERROR [org.keycloak.events.EventBuilder] (executor-thread-1) Event listener 'metrics-listener' registered, but provider not found. Do you know where we can get this metrics listener jar file? We also tried bin/kc.[sh|bat] start --metrics-enabled=true, however, we still see the metrics error.
2. Not able to create a systemd service for the latest keycloak
The systemd service file looks like below.
[Unit]
Description=keycloak service
#After=network.service
[Service]
Type=simple
ExecStart=/bin/bash -c '/apps/keycloak/keycloak-22.0.1/bin/kc.sh start --optimized'
[Install]
WantedBy=default.target
Description=keycloak service
#After=network.service
[Service]
Type=simple
ExecStart=/bin/bash -c '/apps/keycloak/keycloak-22.0.1/bin/kc.sh start --optimized'
[Install]
WantedBy=default.target
Below is the error when we check the service status. Any suggestions to resolve these errors is a great help.
● keycloak.service
Loaded: loaded (/etc/systemd/system/keycloak.service; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2023-07-26 20:46:23 IST; 4s ago
Process: 53668 ExecStart=/bin/bash -c /apps/keycloak/keycloak-22.0.1/bin/kc.sh start --optimized (code=exited, status=1/FAILURE)
Main PID: 53668 (code=exited, status=1/FAILURE)
Jul 26 20:46:23 servername bash[53668]: Exception in thread "main" java.lang.UnsupportedClassVersionError: org/keycloak/quarkus/runtime/KeycloakMain has been compiled by a more recent version of the Java Runtime (c...rsions up to 55.0
Jul 26 20:46:23 Keycloaksrv bash[53668]: at java.base/java.lang.ClassLoader.defineClass1(Native Method)
Jul 26 20:46:23 servername bash[53668]: at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.RunnerClassLoader.loadClass(RunnerClassLoader.java:105)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.RunnerClassLoader.loadClass(RunnerClassLoader.java:65)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:60)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32)
Jul 26 20:46:23 servername systemd[1]: keycloak.service: main process exited, code=exited, status=1/FAILURE
Kind Regards
Vinod
Loaded: loaded (/etc/systemd/system/keycloak.service; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2023-07-26 20:46:23 IST; 4s ago
Process: 53668 ExecStart=/bin/bash -c /apps/keycloak/keycloak-22.0.1/bin/kc.sh start --optimized (code=exited, status=1/FAILURE)
Main PID: 53668 (code=exited, status=1/FAILURE)
Jul 26 20:46:23 servername bash[53668]: Exception in thread "main" java.lang.UnsupportedClassVersionError: org/keycloak/quarkus/runtime/KeycloakMain has been compiled by a more recent version of the Java Runtime (c...rsions up to 55.0
Jul 26 20:46:23 Keycloaksrv bash[53668]: at java.base/java.lang.ClassLoader.defineClass1(Native Method)
Jul 26 20:46:23 servername bash[53668]: at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.RunnerClassLoader.loadClass(RunnerClassLoader.java:105)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.RunnerClassLoader.loadClass(RunnerClassLoader.java:65)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.QuarkusEntryPoint.doRun(QuarkusEntryPoint.java:60)
Jul 26 20:46:23 servername bash[53668]: at io.quarkus.bootstrap.runner.QuarkusEntryPoint.main(QuarkusEntryPoint.java:32)
Jul 26 20:46:23 servername systemd[1]: keycloak.service: main process exited, code=exited, status=1/FAILURE
Kind Regards
Vinod
Jon Koops
Jul 26, 2023, 12:35:37 PM7/26/23
to Vinod Kumar, Keycloak User
I am unfortunately not familiar with these areas, so I can't help out with that. Perhaps these are known issues in our issue tracker? If not, feel free to log an issue so that it can be resolved.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/e2a1c6c3-a7a3-4add-ae8e-c3bb7bea33a3n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages