Keycloak Out-of-Memory Denial-of-Service Vulnerability via Malformed LDAP Password Policy Response

A denial-of-service vulnerability has been identified in Keycloak. This issue arises when an LDAP user-storage provider is configured. A remote attacker with high privileges, such as a realm administrator or one who has compromised an upstream LDAP server, can exploit this vulnerability. The attacker sends a malformed LDAP password policy response during authentication, which triggers an OutOfMemoryError. This error causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a service outage for all realms on the affected node.

Impact

Exploitation of this vulnerability causes the Keycloak JVM to run out of memory and terminate, disrupting service for all realms on the affected node.

Remediation

To mitigate this vulnerability, ensure that Keycloak's LDAP user-storage providers connect only to trusted and secure LDAP servers. Avoid using unverified or potentially malicious LDAP endpoints. Always use TLS for LDAP connections to protect against Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.