twistlock issue in keycloak 26.0.0 (io.netty_netty-common)

53 views
Skip to first unread message

Sreehari Tummala

unread,
Nov 20, 2024, 8:46:22 AMNov 20
to keyclo...@googlegroups.com

Hi Keycloak team,

 

Keycloak is packaging io.netty_netty-common which is having the following High severity vulnerability. This is fixed in 4.1.115 version. Please let us know when keycloak will fix this issue.

Thanks in advance!

 

Registry

Repository

Tag

Id

Scan Time

Pass

Type

Distro

Hostname

Layer

CVE ID

Compliance ID

Result

Type

Severity

Packages

Source Package

Package Version

Package License

CVSS

Fix Status

Fix Date

Grace Days

Vulnerability Tags

Description

Cause

Published

Custom Labels

Vulnerability Link

PURL

sha256:a3fd6ee4a5ca65d1c6dd92bf5601eebf3f38c65d00dbfb95f4471c8b69c99508

42:12.2

TRUE

ciImage

suse-15.6

CVE-2024-47535

47

fail

java

high

io.netty_netty-common

4.1.111.Final

5.5

fixed in 4.1.115

50:13.0

### Summary  An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash.   ### Details  When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed.  At this stage, Netty tries to load both `/etc/os-release` and `/usr/lib/os-release` even though it is in a Windows environment.   <img width="364" alt="1" src=https://github.com/user-attachments/assets/9466b181-9394-45a3-b0e3-1dcf105def59>  If netty finds this files, it reads them and loads them into memory.  By default :  - The JVM maximum memory size is set to 1 GB, - A non-privileged user can create a directory at `C:\` and create files within it.  <img width="340" alt="2" src=https://github.com/user-attachments/assets/43b359a2-5871-4592-ae2b-ffc40ac76831>  <img width="523" alt="3" src=https://github.com/user-attachments/assets/ad5c6eed-451c-4513-92d5-ba0eee7715c1>  the source code identified : https://github.com/netty/netty/blob/4.1/common/src/main/java/io/netty/util/internal/PlatformDependent.java  Despite the implementation of the function `normalizeOs()` the source code not verify the OS before reading `C:\etc\os-release` and `C:\usr\lib\os-release

53:17.0

https://nvd.nist.gov/vuln/detail/CVE-2024-47535

pkg:maven/io.netty/netty-...@4.1.111.Final

 

 

Thanks

Sreehari

Reply all
Reply to author
Forward
0 new messages