[keycloak-user] CVE-2018-14637 temporary mitigation with compensating controls?
pkboucher801 at gmail.com
pkboucher801 at gmail.com
Fri Mar 1 07:11:05 EST 2019
This
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2018-14637&vec
tor=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H says that a SAML response from an
external IdP can be replayed, because the expirations of the assertions are
not checked (fixed in 4.6.0).
The questions I have are about temporary mitigation before deploying version
4.6.0+.
1) Doesn't Keycloak enforce a one-time use restriction, so that no SAML
response from an IdP could be reused?
2) If you have "last mile" TLS, so that the SAML responses are never
transmitted in the clear, wouldn't that preclude an attacker from capturing
a response in order to replay it?
3) Are there any other configurations or controls useful in temporary
mitigation (e.g., IP whitelisting, so that SAML responses can only get in
from the IdP's CIDR ranges)?
Thanks!
Regards,
Peter
More information about the keycloak-user
mailing list