CVE-2021-3461
📋 TL;DR
This vulnerability in Keycloak allows session persistence after logout when using external SAML identity providers with specific Principal Type configurations. Attackers could maintain access to user sessions that should have been terminated. Organizations using Keycloak with SAML identity providers and Attribute Name principal type are affected.
💻 Affected Systems
- Keycloak
📦 What is this software?
Keycloak by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users maintain persistent access to authenticated sessions, potentially accessing sensitive data and performing privileged actions as legitimate users.
Likely Case
Users who should have been logged out retain session access, leading to potential unauthorized data access and privilege misuse.
If Mitigated
With proper session monitoring and access controls, impact is limited to temporary session persistence that can be detected and terminated.
🎯 Exploit Status
Exploitation requires specific SAML configuration and logout requests from external identity providers
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Keycloak 13.0.0 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1941565
Restart Required: Yes
Instructions:
1. Upgrade Keycloak to version 13.0.0 or later. 2. Restart Keycloak service. 3. Verify SAML configurations are properly migrated.
🔧 Temporary Workarounds
Change Principal Type Configuration
allChange Principal Type from 'Attribute [Name]' to 'Subject NameID' in SAML identity provider configurations
Implement Session Timeout
allReduce session timeout values to limit potential exposure window
🧯 If You Can't Patch
- Change SAML identity provider Principal Type configuration to 'Subject NameID' instead of 'Attribute [Name]'
- Implement aggressive session monitoring and forced logout mechanisms for suspicious sessions
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version and verify if using SAML identity providers with Principal Type set to 'Attribute [Name]'Check Version:
keycloak/bin/kc.sh --versionVerify Fix Applied:
Verify Keycloak version is 13.0.0 or later and test logout functionality with SAML identity providers📡 Detection & Monitoring
Log Indicators:
- Failed logout events from SAML identity providers
- Extended session durations beyond configured timeouts
- Multiple active sessions for single user
Network Indicators:
- SAML logout requests from external identity providers
- Session persistence after logout attempts
SIEM Query:
source="keycloak" AND (event="LOGOUT_FAILED" OR session_duration > 3600)