Is Keycloak affected by the Spring Core RCE vulnerability?

I believe Spring (Boot) is used in the sourcecode. See details about the vulnerability here: Spring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities in Spring | LunaSec

And if so, which parts are affected, any workarounds / fixes?

8 Likes

I came here looking for the same information. No one from Keycloak can reply after two days?

Yes, Keycloak is vulnerable.

I am using the docker image which was updated 2 months ago.

I used this script: GitHub - cybersecurityworks553/spring4shell-detect

Remember to point at the form for authentication for your url. You will get a false result otherwise:


$ python3 detect_v2.py --url http://127.0.0.1:8080/auth/realms/master/protocol/openid-connect/auth --post
[<>] Testing for Spring4Shell…!

Using POST Method
[+] Vulnerable!


I am not sure what the fix is currently. :frowning:

1 Like

The “vulnerability test” of this script is very basic. It simply checks if the server response with “400 Bad Request” to mark it as vulnerable. Since the exploit code doesn’t make any sense for Keycloak it correctly answers with a 400 status code. It does so also when you send some other nonsense to this endpoint. So this doesn’t proof Keycloak to be affected.

1 Like

Keycloak is not based on Spring at all!

There are only some adapters FOR Spring, but they are outdated, deprecated and out of any support.

5 Likes