Keycloak Blind Server-Side Request Forgery Vulnerability via HTTP Redirect Handling

A blind server-side request forgery (SSRF) vulnerability has been identified in Keycloak, an identity and access management solution. The issue arises from improper handling of HTTP redirects during client configuration processing. Keycloak follows redirect responses without validating the final destination URL, allowing an attacker to supply a crafted 'sector_identifier_uri' that redirects to internal resources, such as cloud metadata endpoints. This exploitation can lead to unauthorized access to sensitive information and internal network reconnaissance.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where the Keycloak server is tricked into making unintended requests to internal resources. This could bypass access controls and allow attackers to access sensitive internal services or perform reconnaissance on the internal network infrastructure.

Remediation

To mitigate this vulnerability, restrict the outbound network access of the Keycloak instance. Configure firewall rules to prevent the Keycloak server from initiating connections to internal network segments, especially to well-known cloud metadata service IP addresses such as 169.254.169.254. Additionally, ensure that any configured 'sector_identifier_uri' values are thoroughly validated to only point to trusted, external URLs that do not perform redirects to internal resources.