Hello, I’ve got a couple of questions about running Keycloak securely.
-
If I want to run Keycloak from a container, I can get pre-built ones from https://quay.io/keycloak/keycloak. The Keycloak 17 container passed quay.io’s security scanning with no vulnerabilities detected. Keycloak 17.0.1 and 18.0.0 show a critical level vulnerability. Should I be concerned about this, or is the vulnerability impossible to exploit because of the way the software in the container is configured?
-
The main release notes for Keycloak 18.0.0 don’t say that it’s necessary to upgrade for security reasons. However, in the detailed list of issues fixed, there are references to various CVEs. Should we be scheduling an urgent upgrade, or were these CVEs not judged to be very important?
Many thanks for your work on Keycloak, it’s worked very well for us, and has saved a lot of work implementing our own login system.