Keycloak old versions support
379 views
Skip to first unread message
Yury Kitkevich
May 11, 2022, 4:26:24 AM5/11/22
to Keycloak User
Hi there!
What is the general suggestion about the Keycloak frequent upgrade?
I see there are many major version upgrades throughout the year.
Should we follow and immediately upgrade Keycloak to the latest version?
Is there any high-level support for old versions (for example, if some critical vulnerability like log4shell appears), and how long are old versions supported?
Should we follow and immediately upgrade Keycloak to the latest version?
Is there any high-level support for old versions (for example, if some critical vulnerability like log4shell appears), and how long are old versions supported?
Thank you!
Vilmos Nagy
May 13, 2022, 3:20:46 AM5/13/22
to Keycloak User
As far as I know there's no support for KeyCloak. If you'd like to stick with a version for a longer period of time, use the commercial RedHat SSO.
Łukasz Dywicki
May 13, 2022, 6:52:15 PM5/13/22
to Keycloak User
A generic rule of thumb for stability is what RH SSO version is. This is a maintained release which gets patches, if you subscribe for it. SSO 7.4 was based on Keycloak 9, 7.5 is based on Keycloak 15 as far I remember.
Nothing really blocks you from running an older version for longer time. If you face critical vulnerabilities (afaik log4j2 did not affect Keycloak but more recent infinispan >= 9.4). You can always port back patches from recent release to one you use and build new assembly. I've helped some customers developing their product on top of Keycloak 9, I also helped another one running Keycloak 9 for several years. Eventually due to business importance their installation was migrated to RH SSO. Running a custom or patched version Keycloak is possible to do. Its just question of how much effort you can put on it and how big impact eventual failure makes to your business.
From community point of view there is not much to be added, cause each open source project is usually about getting new features so it expands or solidify community base. :)
Cheers,
Łukasz
Yury Kitkevich
May 18, 2022, 7:49:55 AM5/18/22
to Keycloak User
Does anyone know up to which most aged Keycloak versions the Keycloak team will observe and notify about new vulnerabilities?
Is there a practice to update the oldest Keycloak versions when some new vulnerabilities appear?
Thank you!
Is there a practice to update the oldest Keycloak versions when some new vulnerabilities appear?
Thank you!
Jon Koops
May 18, 2022, 7:52:15 AM5/18/22
to Yury Kitkevich, Keycloak User
We do not provide any support for older Keycloak versions, it is recommended to update the latest version or Keycloak at all times. If you are looking for extended support we provide Red Hat SSO as a commercial product.
--CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email.
You received this message because you are subscribed to the Google Groups "Keycloak User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-user/34a67ed8-388e-4684-abe5-eb75577bc76bn%40googlegroups.com.
Łukasz Dywicki
May 18, 2022, 8:04:08 AM5/18/22
to keyclo...@googlegroups.com
Have a look on Red-Hat SSO release information. [0]
Above page outlines commercially supported versions. On this page you
can see which versions of Keycloak are related to product.
If you track vulnerability databases [1] you can find if Keycloak is
affected. You can also look at Red Hat SSO related CVEs. [2]
Be aware that once CVE is published, if its critical, you might have a
very narrow window to patch Keycloak. Also time from reporting to
publishing is known only to RH, it might be that issue remains for
several months before it is announced and open source version is fixed.
Because patches for old versions are not published you will need to back
port fix from latest keycloak release to older one or find solution
yourself. It might not be straight. Some CVEs might be a result of
improper configuration, but its not always the case.
Best,
Łukasz
--
Independent Open Source consultant ;)
http://code-house.org | http://dywicki.pl
[0] https://access.redhat.com/articles/2342881
[1] https://nvd.nist.gov/vuln/search
[2]
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Aredhat%3Asingle_sign-on&status=FINAL%2CDEPRECATED
On 18.05.2022 13:51, Jon Koops wrote:
> We do not provide any support for older Keycloak versions, it is
> recommended to update the latest version or Keycloak at all times. If
> you are looking for extended support we provide Red Hat SSO
> <https://access.redhat.com/products/red-hat-single-sign-on> as a
> <mailto:keycloak-use...@googlegroups.com>.
> <https://groups.google.com/d/msgid/keycloak-user/CAEdmLYHtKiW3Ap%3DQQ7VZoYY-8V2ynzx%2BuYBZ2F5TBu%2BOFPj4Jw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Above page outlines commercially supported versions. On this page you
can see which versions of Keycloak are related to product.
If you track vulnerability databases [1] you can find if Keycloak is
affected. You can also look at Red Hat SSO related CVEs. [2]
Be aware that once CVE is published, if its critical, you might have a
very narrow window to patch Keycloak. Also time from reporting to
publishing is known only to RH, it might be that issue remains for
several months before it is announced and open source version is fixed.
Because patches for old versions are not published you will need to back
port fix from latest keycloak release to older one or find solution
yourself. It might not be straight. Some CVEs might be a result of
improper configuration, but its not always the case.
Best,
Łukasz
--
Independent Open Source consultant ;)
http://code-house.org | http://dywicki.pl
[0] https://access.redhat.com/articles/2342881
[1] https://nvd.nist.gov/vuln/search
[2]
https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&orderBy=2.3&keyword=cpe%3A2.3%3Aa%3Aredhat%3Asingle_sign-on&status=FINAL%2CDEPRECATED
On 18.05.2022 13:51, Jon Koops wrote:
> We do not provide any support for older Keycloak versions, it is
> recommended to update the latest version or Keycloak at all times. If
> you are looking for extended support we provide Red Hat SSO
> commercial product.
>
> On Wed, May 18, 2022 at 1:50 PM 'Yury Kitkevich' via Keycloak User
> <keyclo...@googlegroups.com <mailto:keyclo...@googlegroups.com>>
>
> On Wed, May 18, 2022 at 1:50 PM 'Yury Kitkevich' via Keycloak User
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/34a67ed8-388e-4684-abe5-eb75577bc76bn%40googlegroups.com
> <https://groups.google.com/d/msgid/keycloak-user/34a67ed8-388e-4684-abe5-eb75577bc76bn%40googlegroups.com?utm_medium=email&utm_source=footer>.
> https://groups.google.com/d/msgid/keycloak-user/34a67ed8-388e-4684-abe5-eb75577bc76bn%40googlegroups.com
>
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> <mailto:keycloak-use...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "Keycloak User" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to keycloak-use...@googlegroups.com
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/keycloak-user/CAEdmLYHtKiW3Ap%3DQQ7VZoYY-8V2ynzx%2BuYBZ2F5TBu%2BOFPj4Jw%40mail.gmail.com
> <https://groups.google.com/d/msgid/keycloak-user/CAEdmLYHtKiW3Ap%3DQQ7VZoYY-8V2ynzx%2BuYBZ2F5TBu%2BOFPj4Jw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages