CVE-2024-10973: Keycloak on Quarkus CLI option for encrypted JGroups ignored
The env option KC_CACHE_EMBEDDED_MTLS_ENABLED
does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.
References
- access.redhat.com/security/cve/CVE-2024-10973
- bugzilla.redhat.com/show_bug.cgi?id=2324361
- github.com/advisories/GHSA-g6qq-c9f9-2772
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
- github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
- github.com/keycloak/keycloak/issues/28750
- github.com/keycloak/keycloak/issues/34644
- github.com/keycloak/keycloak/pull/28756
- github.com/keycloak/keycloak/pull/34668
- github.com/keycloak/keycloak/security/advisories/GHSA-g6qq-c9f9-2772
- nvd.nist.gov/vuln/detail/CVE-2024-10973
Detect and mitigate CVE-2024-10973 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →