[keycloak-user] Keycloak vulnerabilities reported via OWASP Dependency Check
NiRmAl KuMaR
nirmal.hbti at gmail.com
Thu Aug 10 09:23:31 EDT 2017
Hi Keycloak,
We have been playing around with Keycloak since sometime now and found it
to be a wonderful product.
As the next step we were planning to use it on our production systems but
came across with the following vulnerabilities (gathered from *OWASP
Dependency Check <https://www.owasp.org/index.php/OWASP_Dependency_Check> *
tool).
These vulnerabilities are now stopping us to adapt and use Keycloak as our
SSO solution.
I did not find any JIRA addressing this problem.
Can you please let us know if these concerns were raised earlier too or any
other path that can help us in mitigating the problem?
*Dependency*
*CPE*
*GAV*
*Highest Severity*
*CVE Count*
*CPE Confidence*
*Evidence Count*
*jackson-annotations-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-annotations:2.5.4
<http://search.maven.org/#search|ga|1|1%3A%227a93b60f5d2d43024f34e15893552ee6defdb971%22>*
*Medium*
*1*
*LOW*
*25*
*jackson-core-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-core:2.5.4
<http://search.maven.org/#search|ga|1|1%3A%220a57a2df1a23ca1ee32f129173ba7f5feaa9ac24%22>*
*Medium*
*1*
*LOW*
*25*
*jackson-databind-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.core:jackson-databind:2.5.4
<http://search.maven.org/#search|ga|1|1%3A%225dfa42af84584b4a862ea488da84bbbebbb06c35%22>*
*Medium*
*1*
*LOW*
*25*
*jackson-jaxrs-base-2.5.4.jar*
*cpe:/a:fasterxml:jackson:2.5.4*
*com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:2.5.4
<http://search.maven.org/#search|ga|1|1%3A%228af261181ae4fb16ccce5e116fa25bc3143785b8%22>*
*High*
*2*
*LOW*
*24*
*netty-all-4.0.32.Final.jar*
*cpe:/a:netty_project:netty:4.0.32
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Anetty_project%3Anetty%3A4.0.32>*
*io.netty:netty-all:4.0.32.Final
<http://search.maven.org/#search|ga|1|1%3A%22e8872b84e976530d8041718a71a98cd5805adf16%22>*
*High*
*1*
*HIGHEST*
*14*
*undertow-js-1.0.1.Final.jar*
*cpe:/a:redhat:undertow:1.0.1*
*io.undertow.js:undertow-js:1.0.1.Final
<http://search.maven.org/#search|ga|1|1%3A%221c1c1e3c799a82530da95fa0be50f9804ac00a0c%22>*
*Medium*
*1*
*LOW*
*20*
*cdi-api-1.2.jar*
*cpe:/a:redhat:jboss_weld:1.2*
*javax.enterprise:cdi-api:1.2
<http://search.maven.org/#search|ga|1|1%3A%2253bba91dc3968adf411e076df020cf207283d7dc%22>*
*Medium*
*1*
*LOW*
*23*
*openjdk-orb-8.0.5.Final.jar*
*cpe:/a:oracle:openjdk:8.0.5*
*org.jboss.openjdk-orb:openjdk-orb:8.0.5.Final*
*Low*
*1*
*LOW*
*19*
*cxf-services-sts-core-3.1.4.jar*
*cpe:/a:apache:cxf:3.1.4*
*org.apache.cxf.services.sts:cxf-services-sts-core:3.1.4
<http://search.maven.org/#search|ga|1|1%3A%2236b5859fdff1fb6e185a4be915be946161455ae4%22>*
*Medium*
*3*
*LOW*
*22*
*cxf-xjc-dv-3.0.5.jar*
*cpe:/a:apache:cxf:3.0.5*
*org.apache.cxf.xjcplugins:cxf-xjc-dv:3.0.5
<http://search.maven.org/#search|ga|1|1%3A%225293323564e2610b67b515d3d4d6294d062b7e70%22>*
*Medium*
*4*
*LOW*
*18*
*cxf-core-3.1.4.jar*
*cpe:/a:apache:cxf:3.1.4*
*org.apache.cxf:cxf-core:3.1.4
<http://search.maven.org/#search|ga|1|1%3A%225387c3daecea4e2b4c7bf74c77e81435f381481e%22>*
*Medium*
*3*
*LOW*
*22*
*proton-j-0.8.jar*
*cpe:/a:apache:qpid:0.8
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aqpid%3A0.8>*
*org.apache.qpid:proton-j:0.8
<http://search.maven.org/#search|ga|1|1%3A%22214f388165d45d593b050b3b36aac26a4ca4bc79%22>*
*Medium*
*10*
*HIGHEST*
*17*
*cpe:/a:apache:qpid_proton:0.8.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Aqpid_proton%3A0.8.0>*
*xalan-2.7.1.jbossorg-2.jar*
*cpe:/a:apache:xalan-java:2.7.1
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aapache%3Axalan-java%3A2.7.1>*
*High*
*1*
*HIGHEST*
*29*
*jackson-core-asl-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-core-asl:1.9.13
<http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jackson-core-asl/1.9.13/jackson-core-asl-1.9.13.jar>*
*High*
*2*
*LOW*
*22*
*jackson-jaxrs-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-jaxrs:1.9.13
<http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jackson-jaxrs/1.9.13/jackson-jaxrs-1.9.13.jar>*
*High*
*2*
*LOW*
*21*
*jackson-mapper-asl-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-mapper-asl:1.9.13
<http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jackson-mapper-asl/1.9.13/jackson-mapper-asl-1.9.13.jar>*
*High*
*2*
*LOW*
*21*
*jackson-xc-1.9.13.jar*
*cpe:/a:fasterxml:jackson:1.9.13*
*org.codehaus.jackson:jackson-xc:1.9.13
<http://search.maven.org/remotecontent?filepath=org/codehaus/jackson/jackson-xc/1.9.13/jackson-xc-1.9.13.jar>*
*High*
*2*
*LOW*
*21*
*wildfly-clustering-jgroups-extension-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-extension:10.0.0.Final
<http://search.maven.org/#search|ga|1|1%3A%227ff0f135e10d4f4afafd19ebb032049b0f4726ee%22>*
*High*
*1*
*LOW*
*21*
*mod_cluster-container-spi-1.3.1.Final.jar*
*cpe:/a:redhat:mod_cluster:1.3.1
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aredhat%3Amod_cluster%3A1.3.1>*
*org.jboss.mod_cluster:mod_cluster-container-spi:1.3.1.Final*
*Medium*
*1*
*HIGHEST*
*18*
*mod_cluster-core-1.3.1.Final.jar*
*cpe:/a:redhat:mod_cluster:1.3.1
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aredhat%3Amod_cluster%3A1.3.1>*
*org.jboss.mod_cluster:mod_cluster-core:1.3.1.Final*
*Medium*
*1*
*HIGHEST*
*18*
*jose-jwt-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:jose-jwt:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%228d28c3d644afac9c6bd4bae58d827d9434a88c61%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-atom-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-atom-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%225031e899ec910ddf6945f73c03f3b5adcd212982%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-cdi-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-cdi:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%222748ad6a006334a2c330e49d3ad3e0b95b9e6025%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-crypto-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-crypto:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%22c46dcbebd503306b777402e9c2d783a619616323%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-jackson-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jackson-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%2226d8c7b3d3dc933eba15c51ecd59af47c494c0e1%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-jackson2-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jackson2-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%227126a2267d2ed84472cca7bd7804020962def5d3%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-jaxb-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jaxb-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%2239ae9c24c9ea5e0b4e6fedf997cff6f24df05f9a%22>*
*Medium*
*4*
*LOW*
*20*
*async-http-servlet-3.0-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:async-http-servlet-3.0:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%22cbd82bbdb368bc92cac6ea8b90ba4f11aca10db4%22>*
*Medium*
*4*
*LOW*
*19*
*resteasy-jaxrs-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jaxrs:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%22a3974127a846dfe4dc5911f46c9dd531160f265e%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-jettison-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jettison-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%2295e252f48dd51a794831fa7cef859cfcc08e5d3d%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-jsapi-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-jsapi:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%2294674b630328841b9f1c8db7bca5213736e38c66%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-json-p-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-json-p-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%225c43f9986593b9bf965ac498252c741aa7737dd4%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-multipart-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-multipart-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%228a89bd4822758826ddd08e85c0b875f1bf598731%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-spring-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-spring:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%228c66bf3cb05b5c041d702c7f73b80a49fef0245e%22>*
*Medium*
*4*
*LOW*
*20*
*resteasy-validator-provider-11-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-validator-provider-11:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%222b2cdf6d8210be1fabdde88eededc6e518a87714%22>*
*Medium*
*4*
*LOW*
*21*
*resteasy-yaml-provider-3.0.14.Final.jar*
*cpe:/a:redhat:resteasy:3.0.14*
*org.jboss.resteasy:resteasy-yaml-provider:3.0.14.Final
<http://search.maven.org/#search|ga|1|1%3A%2204b3a4d21ca93de9015d09ce53b539b9d9e42493%22>*
*Medium*
*4*
*LOW*
*20*
*jaxws-undertow-httpspi-1.0.1.Final.jar*
*cpe:/a:redhat:undertow:1.0.1*
*org.jboss.ws.projects:jaxws-undertow-httpspi:1.0.1.Final
<http://search.maven.org/#search|ga|1|1%3A%229c9815d529f7b2cb5f714a6337c637f62f9b0455%22>*
*Medium*
*1*
*LOW*
*15*
*picketlink-common-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-common:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%22bae415804a1ebebca06b3cd10f331a43ac35af61%22>*
*Medium*
*3*
*LOW*
*14*
*picketlink-config-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-config:2.5.5.SP1*
*Medium*
*3*
*LOW*
*11*
*picketlink-api-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-api:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%22d241908e412703432d2ea2d3cb32becd112f85d9%22>*
*Medium*
*3*
*LOW*
*14*
*picketlink-impl-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-impl:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%22f98726b18389968646aab6755dc9ba5d0186c2b7%22>*
*Medium*
*3*
*LOW*
*13*
*picketlink-wildfly8-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink.distribution:picketlink-wildfly8:2.5.5.SP1
<http://search.maven.org/remotecontent?filepath=org/picketlink/distribution/picketlink-wildfly8/2.5.5.SP1/picketlink-wildfly8-2.5.5.SP1.jar>*
*Medium*
*3*
*LOW*
*22*
*picketlink-federation-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-federation:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%22c559de29d4309a3cc2d96a4e407a5227a3a516bb%22>*
*Medium*
*3*
*LOW*
*17*
*picketlink-idm-api-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-api:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%227d2f839a879702ece8a3eb604514a7765b08831c%22>*
*Medium*
*3*
*LOW*
*13*
*picketlink-idm-impl-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-impl:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%228ef97a0fef20a795edf76ec7febc5e74e99c5b9c%22>*
*Medium*
*3*
*LOW*
*14*
*picketlink-idm-simple-schema-2.5.5.SP1.jar*
*cpe:/a:picketlink:picketlink:2.5.5.sp1*
*org.picketlink:picketlink-idm-simple-schema:2.5.5.SP1
<http://search.maven.org/#search|ga|1|1%3A%2277a90ab547910752875a51bec0c2d27fdc8d9358%22>*
*Medium*
*3*
*LOW*
*15*
*wildfly-clustering-jgroups-api-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-api:10.0.0.Final*
*High*
*1*
*LOW*
*18*
*wildfly-clustering-jgroups-spi-10.0.0.Final.jar*
*cpe:/a:redhat:jgroups:10.0.0*
*org.wildfly:wildfly-clustering-jgroups-spi:10.0.0.Final*
*High*
*1*
*LOW*
*18*
*wildfly-iiop-openjdk-10.0.0.Final.jar*
*cpe:/a:oracle:openjdk:10.0.0*
*org.wildfly:wildfly-iiop-openjdk:10.0.0.Final*
*Low*
*1*
*LOW*
*18*
*wildfly-jberet-10.0.0.Final.jar*
*cpe:/a:redhat:jboss_wildfly_application_server:10.0.0
<https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Aredhat%3Ajboss_wildfly_application_server%3A10.0.0>*
*org.wildfly:wildfly-jberet:10.0.0.Final*
*Medium*
*3*
*HIGHEST*
*19*
*keycloak-authz-policy-drools-3.2.1.Final.jar*
*cpe:/a:redhat:drools:3.2.1*
*org.keycloak:keycloak-authz-policy-drools:3.2.1.Final*
*High*
*1*
*LOW*
*18*
Many Thanks,
-Nirmal
More information about the keycloak-user
mailing list