csaf_redhat - rhsa-2025:18255

RHSA-2025:18255

Vulnerability from csaf_redhat - Published: 2025-10-16 14:50 - Updated: 2025-12-23 20:43

Summary

Red Hat Security Advisory: Red Hat build of Keycloak 26.0.16 Update

Notes

Topic

New Red Hat build of Keycloak 26.0.16 packages are available from the Customer Portal

Details

Red Hat build of Keycloak 26.0.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: * Keycloak TLS Client-Initiated Renegotiation Denial of Service (CVE-2025-11419)

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat build of Keycloak 26.0.16 packages are available from the Customer Portal",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Keycloak 26.0.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Keycloak TLS Client-Initiated Renegotiation Denial of Service (CVE-2025-11419)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2025:18255",
        "url": "https://access.redhat.com/errata/RHSA-2025:18255"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_18255.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.0.16 Update",
    "tracking": {
      "current_release_date": "2025-12-23T20:43:01+00:00",
      "generator": {
        "date": "2025-12-23T20:43:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.14"
        }
      },
      "id": "RHSA-2025:18255",
      "initial_release_date": "2025-10-16T14:50:34+00:00",
      "revision_history": [
        {
          "date": "2025-10-16T14:50:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-10-16T14:50:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-12-23T20:43:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Keycloak 26.0",
                "product": {
                  "name": "Red Hat build of Keycloak 26.0",
                  "product_id": "9Base-RHBK-26.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:build_keycloak:26.0::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Keycloak"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
                "product": {
                  "name": "rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
                  "product_id": "rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.0-20"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
                "product": {
                  "name": "rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
                  "product_id": "rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le",
                "product": {
                  "name": "rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le",
                  "product_id": "rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.0-20"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
                "product": {
                  "name": "rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
                  "product_id": "rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
                "product": {
                  "name": "rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
                  "product_id": "rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.0-20"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
                "product": {
                  "name": "rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
                  "product_id": "rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.0.16-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
                "product": {
                  "name": "rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
                  "product_id": "rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.0-21"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64 as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64"
        },
        "product_reference": "rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64 as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64"
        },
        "product_reference": "rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le"
        },
        "product_reference": "rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x"
        },
        "product_reference": "rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x"
        },
        "product_reference": "rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64 as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64"
        },
        "product_reference": "rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le as a component of Red Hat build of Keycloak 26.0",
          "product_id": "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le"
        },
        "product_reference": "rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le",
        "relates_to_product_reference": "9Base-RHBK-26.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-11419",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2025-10-07T11:12:36.431000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2402142"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak TLS Client-Initiated Renegotiation Denial of Service",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "9Base-RHBK-26.0:rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
          "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2025-11419"
        },
        {
          "category": "external",
          "summary": "RHBZ#2402142",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402142"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2025-11419",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-11419"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-11419",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11419"
        }
      ],
      "release_date": "2025-10-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-10-16T14:50:34+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "9Base-RHBK-26.0:rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2025:18255"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, configure Keycloak to reject client-initiated TLS renegotiation by adding the following Java system property to the Keycloak startup configuration:\n-Djdk.tls.rejectClientInitiatedRenegotiation=true\n\nThis prevents unauthenticated attackers from triggering repeated TLS renegotiations and exhausting server CPU resources.\nAdditionally, ensure that Keycloak is deployed behind proper network access controls and rate-limiting mechanisms to further reduce exposure to DoS attacks.",
          "product_ids": [
            "9Base-RHBK-26.0:rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "9Base-RHBK-26.0:rhbk/keycloak-operator-bundle@sha256:43a298583415c35ecbb5325283a9892566bd08fb0eb2ebd37e90610d88269649_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:14b0fbc122f85168376a1769d591641fc2c8e93c0d0b771065cd3779b5ebc546_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:3df0789cf7012777396528a72fd7c8af718bdf61e79ca3a5097ee77e37ade59d_ppc64le",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9-operator@sha256:aef5994b152d534e81c9832b67cf6ff68e760d55915f830be02ac2bcaceae553_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:42c1e459585e03df56aca5bbf83081d95f21b121f623fec4d36e9a42f697f945_s390x",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:bbda28678bec5d9778a3f0da5bb2cb9becc971f6080eb03758316721720b83e8_amd64",
            "9Base-RHBK-26.0:rhbk/keycloak-rhel9@sha256:cfc457ab3d6cadd50622b18a1bf3967754545ba3cc435cd29ad4e80d592050e5_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak TLS Client-Initiated Renegotiation Denial of Service"
    }
  ]
}

CVE-2025-11419 (GCVE-0-2025-11419)

Vulnerability from cvelistv5 – Published: 2025-12-23 20:42 – Updated: 2025-12-23 20:52

Title

Keycloak: keycloak tls client-initiated renegotiation denial of service

Summary

A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

redhat

References

URL

Tags

	https://access.redhat.com/errata/RHSA-2025:18254	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:18255	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:18889	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2025:18890	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2025-11419	vdb-entryx_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2402142	issue-trackingx_refsource_REDHAT

Impacted products

Vendor

Product

Version

Affected: 0 , < 26.0.16 (semver)
Unknown: 26.1.0 , < 26.1.* (semver)
Affected: 26.2.0 , < 26.2.10 (semver)
Unknown: 26.3.0 , < 26.3.* (semver)
Affected: 26.4.0 , < 26.4.1 (semver)

Red Hat	Red Hat build of Keycloak 26.0	Unaffected: 26.0.16-2 , < * (rpm) cpe:/a:redhat:build_keycloak:26.0::el9
Red Hat	Red Hat build of Keycloak 26.0	Unaffected: 26.0-20 , < * (rpm) cpe:/a:redhat:build_keycloak:26.0::el9
Red Hat	Red Hat build of Keycloak 26.0	Unaffected: 26.0-21 , < * (rpm) cpe:/a:redhat:build_keycloak:26.0::el9
Red Hat	Red Hat build of Keycloak 26.0.16	cpe:/a:redhat:build_keycloak:26.0
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2.10-2 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-11 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2	Unaffected: 26.2-11 , < * (rpm) cpe:/a:redhat:build_keycloak:26.2::el9
Red Hat	Red Hat build of Keycloak 26.2.10	cpe:/a:redhat:build_keycloak:26.2::el9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11419",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-23T20:51:23.601159Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-23T20:52:40.059Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/keycloak/keycloak/",
          "defaultStatus": "unaffected",
          "packageName": "keycloak",
          "versions": [
            {
              "lessThan": "26.0.16",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "26.1.*",
              "status": "unknown",
              "version": "26.1.0",
              "versionType": "semver"
            },
            {
              "lessThan": "26.2.10",
              "status": "affected",
              "version": "26.2.0",
              "versionType": "semver"
            },
            {
              "lessThan": "26.3.*",
              "status": "unknown",
              "version": "26.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "26.4.1",
              "status": "affected",
              "version": "26.4.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.0",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.0.16-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.0",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.0-20",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.0::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.0",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.0-21",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.0"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-server",
          "product": "Red Hat build of Keycloak 26.0.16",
          "vendor": "Red Hat"
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-operator-bundle",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2.10-2",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-11",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://catalog.redhat.com/software/containers/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "affected",
          "packageName": "rhbk/keycloak-rhel9-operator",
          "product": "Red Hat build of Keycloak 26.2",
          "vendor": "Red Hat",
          "versions": [
            {
              "lessThan": "*",
              "status": "unaffected",
              "version": "26.2-11",
              "versionType": "rpm"
            }
          ]
        },
        {
          "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
          "cpes": [
            "cpe:/a:redhat:build_keycloak:26.2::el9"
          ],
          "defaultStatus": "unaffected",
          "packageName": "keycloak-server",
          "product": "Red Hat build of Keycloak 26.2.10",
          "vendor": "Red Hat"
        }
      ],
      "datePublic": "2025-10-07T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "namespace": "https://access.redhat.com/security/updates/classification/",
              "value": "Important"
            },
            "type": "Red Hat severity rating"
          }
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T20:42:38.699Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "RHSA-2025:18254",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:18254"
        },
        {
          "name": "RHSA-2025:18255",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:18255"
        },
        {
          "name": "RHSA-2025:18889",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:18889"
        },
        {
          "name": "RHSA-2025:18890",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2025:18890"
        },
        {
          "tags": [
            "vdb-entry",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/security/cve/CVE-2025-11419"
        },
        {
          "name": "RHBZ#2402142",
          "tags": [
            "issue-tracking",
            "x_refsource_REDHAT"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402142"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-07T11:12:36.431000+00:00",
          "value": "Reported to Red Hat."
        },
        {
          "lang": "en",
          "time": "2025-10-07T00:00:00+00:00",
          "value": "Made public."
        }
      ],
      "title": "Keycloak: keycloak tls client-initiated renegotiation denial of service",
      "workarounds": [
        {
          "lang": "en",
          "value": "To mitigate this vulnerability, configure Keycloak to reject client-initiated TLS renegotiation by adding the following Java system property to the Keycloak startup configuration:\n-Djdk.tls.rejectClientInitiatedRenegotiation=true\n\nThis prevents unauthenticated attackers from triggering repeated TLS renegotiations and exhausting server CPU resources.\nAdditionally, ensure that Keycloak is deployed behind proper network access controls and rate-limiting mechanisms to further reduce exposure to DoS attacks."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      },
      "x_redhatCweChain": "CWE-770: Allocation of Resources Without Limits or Throttling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2025-11419",
    "datePublished": "2025-12-23T20:42:38.699Z",
    "dateReserved": "2025-10-07T11:19:18.134Z",
    "dateUpdated": "2025-12-23T20:52:40.059Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2025:18255

CVE-2025-11419 (GCVE-0-2025-11419)

Tags

Sightings

Nomenclature