[keycloak-user] Keycloak vulnerabilities reported via OWASP Dependency Check

Hi Keycloak, We have been playing around with Keycloak since sometime now and found it to be a wonderful product. As the next step we were planning to use it on our production systems but came across with the following vulnerabilities (gathered from *OWASP Dependency Check <https://www.owasp.org/index.php/OWASP_Dependency_Check> * tool). These vulnerabilities are now stopping us to adapt and use Keycloak as our SSO solution. I did not find any JIRA addressing this problem. Can you please let us know if these concerns were raised earlier too or any other path that can help us in mitigating the problem? *Dependency* *CPE* *GAV* *Highest Severity* *CVE Count* *CPE Confidence* *Evidence Count* *jackson-annotations-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-annotations:2.5.4 <http://search.maven.org/#search|ga|1|1%3A%227a93b60f5d2d43024f34e15893552... *Medium* *1* *LOW* *25* *jackson-core-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-core:2.5.4 <http://search.maven.org/#search|ga|1|1%3A%220a57a2df1a23ca1ee32f129173ba7... *Medium* *1* *LOW* *25* *jackson-databind-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.core:jackson-databind:2.5.4 <http://search.maven.org/#search|ga|1|1%3A%225dfa42af84584b4a862ea488da84b... *Medium* *1* *LOW* *25* *jackson-jaxrs-base-2.5.4.jar* *cpe:/a:fasterxml:jackson:2.5.4* *com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.5.4 <http://search.maven.org/#search|ga|1|1%3A%228af261181ae4fb16ccce5e116fa25... *High* *2* *LOW* *24* *netty-all-4.0.32.Final.jar* *cpe:/a:netty_project:netty:4.0.32 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *io.netty:netty-all:4.0.32.Final <http://search.maven.org/#search|ga|1|1%3A%22e8872b84e976530d8041718a71a98... *High* *1* *HIGHEST* *14* *undertow-js-1.0.1.Final.jar* *cpe:/a:redhat:undertow:1.0.1* *io.undertow.js:undertow-js:1.0.1.Final <http://search.maven.org/#search|ga|1|1%3A%221c1c1e3c799a82530da95fa0be50f... *Medium* *1* *LOW* *20* *cdi-api-1.2.jar* *cpe:/a:redhat:jboss_weld:1.2* *javax.enterprise:cdi-api:1.2 <http://search.maven.org/#search|ga|1|1%3A%2253bba91dc3968adf411e076df020c... *Medium* *1* *LOW* *23* *openjdk-orb-8.0.5.Final.jar* *cpe:/a:oracle:openjdk:8.0.5* *org.jboss.openjdk-orb:openjdk-orb:8.0.5.Final* *Low* *1* *LOW* *19* *cxf-services-sts-core-3.1.4.jar* *cpe:/a:apache:cxf:3.1.4* *org.apache.cxf.services.sts:cxf-services-sts-core:3.1.4 <http://search.maven.org/#search|ga|1|1%3A%2236b5859fdff1fb6e185a4be915be9... *Medium* *3* *LOW* *22* *cxf-xjc-dv-3.0.5.jar* *cpe:/a:apache:cxf:3.0.5* *org.apache.cxf.xjcplugins:cxf-xjc-dv:3.0.5 <http://search.maven.org/#search|ga|1|1%3A%225293323564e2610b67b515d3d4d62... *Medium* *4* *LOW* *18* *cxf-core-3.1.4.jar* *cpe:/a:apache:cxf:3.1.4* *org.apache.cxf:cxf-core:3.1.4 <http://search.maven.org/#search|ga|1|1%3A%225387c3daecea4e2b4c7bf74c77e81... *Medium* *3* *LOW* *22* *proton-j-0.8.jar* *cpe:/a:apache:qpid:0.8 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *org.apache.qpid:proton-j:0.8 <http://search.maven.org/#search|ga|1|1%3A%22214f388165d45d593b050b3b36aac... *Medium* *10* *HIGHEST* *17* *cpe:/a:apache:qpid_proton:0.8.0 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *xalan-2.7.1.jbossorg-2.jar* *cpe:/a:apache:xalan-java:2.7.1 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *High* *1* *HIGHEST* *29* *jackson-core-asl-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-core-asl:1.9.13 <http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks... *High* *2* *LOW* *22* *jackson-jaxrs-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-jaxrs:1.9.13 <http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks... *High* *2* *LOW* *21* *jackson-mapper-asl-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-mapper-asl:1.9.13 <http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks... *High* *2* *LOW* *21* *jackson-xc-1.9.13.jar* *cpe:/a:fasterxml:jackson:1.9.13* *org.codehaus.jackson:jackson-xc:1.9.13 <http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jacks... *High* *2* *LOW* *21* *wildfly-clustering-jgroups-extension-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-extension:10.0.0.Final <http://search.maven.org/#search|ga|1|1%3A%227ff0f135e10d4f4afafd19ebb0320... *High* *1* *LOW* *21* *mod_cluster-container-spi-1.3.1.Final.jar* *cpe:/a:redhat:mod_cluster:1.3.1 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *org.jboss.mod_cluster:mod_cluster-container-spi:1.3.1.Final* *Medium* *1* *HIGHEST* *18* *mod_cluster-core-1.3.1.Final.jar* *cpe:/a:redhat:mod_cluster:1.3.1 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *org.jboss.mod_cluster:mod_cluster-core:1.3.1.Final* *Medium* *1* *HIGHEST* *18* *jose-jwt-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:jose-jwt:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%228d28c3d644afac9c6bd4bae58d827... *Medium* *4* *LOW* *20* *resteasy-atom-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-atom-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%225031e899ec910ddf6945f73c03f3b... *Medium* *4* *LOW* *20* *resteasy-cdi-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-cdi:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%222748ad6a006334a2c330e49d3ad3e... *Medium* *4* *LOW* *20* *resteasy-crypto-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-crypto:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%22c46dcbebd503306b777402e9c2d78... *Medium* *4* *LOW* *20* *resteasy-jackson-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jackson-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%2226d8c7b3d3dc933eba15c51ecd59a... *Medium* *4* *LOW* *20* *resteasy-jackson2-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jackson2-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%227126a2267d2ed84472cca7bd78040... *Medium* *4* *LOW* *20* *resteasy-jaxb-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jaxb-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%2239ae9c24c9ea5e0b4e6fedf997cff... *Medium* *4* *LOW* *20* *async-http-servlet-3.0-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:async-http-servlet-3.0:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%22cbd82bbdb368bc92cac6ea8b90ba4... *Medium* *4* *LOW* *19* *resteasy-jaxrs-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jaxrs:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%22a3974127a846dfe4dc5911f46c9dd... *Medium* *4* *LOW* *20* *resteasy-jettison-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jettison-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%2295e252f48dd51a794831fa7cef859... *Medium* *4* *LOW* *20* *resteasy-jsapi-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-jsapi:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%2294674b630328841b9f1c8db7bca52... *Medium* *4* *LOW* *20* *resteasy-json-p-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-json-p-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%225c43f9986593b9bf965ac498252c7... *Medium* *4* *LOW* *20* *resteasy-multipart-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-multipart-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%228a89bd4822758826ddd08e85c0b87... *Medium* *4* *LOW* *20* *resteasy-spring-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-spring:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%228c66bf3cb05b5c041d702c7f73b80... *Medium* *4* *LOW* *20* *resteasy-validator-provider-11-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-validator-provider-11:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%222b2cdf6d8210be1fabdde88eededc... *Medium* *4* *LOW* *21* *resteasy-yaml-provider-3.0.14.Final.jar* *cpe:/a:redhat:resteasy:3.0.14* *org.jboss.resteasy:resteasy-yaml-provider:3.0.14.Final <http://search.maven.org/#search|ga|1|1%3A%2204b3a4d21ca93de9015d09ce53b53... *Medium* *4* *LOW* *20* *jaxws-undertow-httpspi-1.0.1.Final.jar* *cpe:/a:redhat:undertow:1.0.1* *org.jboss.ws.projects:jaxws-undertow-httpspi:1.0.1.Final <http://search.maven.org/#search|ga|1|1%3A%229c9815d529f7b2cb5f714a6337c63... *Medium* *1* *LOW* *15* *picketlink-common-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-common:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%22bae415804a1ebebca06b3cd10f331... *Medium* *3* *LOW* *14* *picketlink-config-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-config:2.5.5.SP1* *Medium* *3* *LOW* *11* *picketlink-api-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-api:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%22d241908e412703432d2ea2d3cb32b... *Medium* *3* *LOW* *14* *picketlink-impl-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-impl:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%22f98726b18389968646aab6755dc9b... *Medium* *3* *LOW* *13* *picketlink-wildfly8-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink.distribution:picketlink-wildfly8:2.5.5.SP1 <http://search.maven.org/remotecontent?filepath=org/picketlink/distributio... *Medium* *3* *LOW* *22* *picketlink-federation-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-federation:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%22c559de29d4309a3cc2d96a4e407a5... *Medium* *3* *LOW* *17* *picketlink-idm-api-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-api:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%227d2f839a879702ece8a3eb604514a... *Medium* *3* *LOW* *13* *picketlink-idm-impl-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-impl:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%228ef97a0fef20a795edf76ec7febc5... *Medium* *3* *LOW* *14* *picketlink-idm-simple-schema-2.5.5.SP1.jar* *cpe:/a:picketlink:picketlink:2.5.5.sp1* *org.picketlink:picketlink-idm-simple-schema:2.5.5.SP1 <http://search.maven.org/#search|ga|1|1%3A%2277a90ab547910752875a51bec0c2d... *Medium* *3* *LOW* *15* *wildfly-clustering-jgroups-api-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-api:10.0.0.Final* *High* *1* *LOW* *18* *wildfly-clustering-jgroups-spi-10.0.0.Final.jar* *cpe:/a:redhat:jgroups:10.0.0* *org.wildfly:wildfly-clustering-jgroups-spi:10.0.0.Final* *High* *1* *LOW* *18* *wildfly-iiop-openjdk-10.0.0.Final.jar* *cpe:/a:oracle:openjdk:10.0.0* *org.wildfly:wildfly-iiop-openjdk:10.0.0.Final* *Low* *1* *LOW* *18* *wildfly-jberet-10.0.0.Final.jar* *cpe:/a:redhat:jboss_wildfly_application_server:10.0.0 <https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cve... *org.wildfly:wildfly-jberet:10.0.0.Final* *Medium* *3* *HIGHEST* *19* *keycloak-authz-policy-drools-3.2.1.Final.jar* *cpe:/a:redhat:drools:3.2.1* *org.keycloak:keycloak-authz-policy-drools:3.2.1.Final* *High* *1* *LOW* *18* Many Thanks, -Nirmal