Arch Linux 804 Published by

A keycloak security update has been released for Arch Linux to address an arbitrary code execution vulnerability.



Arch Linux Security Advisory ASA-202005-8
=========================================

Severity: High
Date : 2020-05-16
CVE-ID : CVE-2020-1714
Package : keycloak
Type : arbitrary code execution
Remote : Yes
Link :   https://security.archlinux.org/AVG-1158

Summary
=======

The package keycloak before version 10.0.1-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 10.0.1-1.

# pacman -Syu "keycloak>=10.0.1-1"

The problem has been fixed upstream in version 10.0.1.

Workaround
==========

None.

Description
===========

A flaw was found in Keycloak, where the code base contains usages of
ObjectInputStream without type checks. This flaw allows an attacker to
inject arbitrarily serialized Java Objects, which would then get
deserialized in a privileged context and potentially lead to remote
code execution.

Impact
======

An authenticated remote attacker could execute arbitrary code by
injecting values into a custom attribute.

References
==========

  https://bugs.archlinux.org/task/66642
  https://github.com/keycloak/keycloak/pull/7053
  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1714
  https://security.archlinux.org/CVE-2020-1714