CVE-2024-9666
📋 TL;DR
This vulnerability allows attackers to cause denial of service in Keycloak servers by sending malicious proxy headers that trigger expensive DNS resolution operations. It affects Keycloak instances configured to accept proxy headers without proper validation. Organizations using Keycloak with reverse proxy configurations are primarily at risk.
💻 Affected Systems
- Keycloak Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability as IO threads become exhausted from DNS resolution attempts, preventing legitimate authentication requests.
Likely Case
Degraded performance and intermittent service disruptions during attack periods.
If Mitigated
Minimal impact with proper proxy header validation and rate limiting in place.
🎯 Exploit Status
Attack requires sending specially crafted HTTP requests with malicious proxy headers to vulnerable configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories RHSA-2024:10175 through RHSA-2024:10178 for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-9666
Restart Required: Yes
Instructions:
1. Review Red Hat advisories for your Keycloak version. 2. Apply the appropriate security update. 3. Restart Keycloak service. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Disable proxy header acceptance
allConfigure Keycloak to not accept proxy headers or ensure reverse proxies overwrite all incoming proxy headers.
Configure Keycloak proxy settings to disable proxy header acceptance
Implement reverse proxy header sanitization
allConfigure reverse proxies to strip or overwrite all incoming proxy headers before forwarding to Keycloak.
Configure nginx/apache/haproxy to set proxy headers rather than passing through
🧯 If You Can't Patch
- Implement network-level rate limiting to prevent DoS attacks
- Deploy Web Application Firewall (WAF) rules to block malicious proxy headers
🔍 How to Verify
Check if Vulnerable:
Check if Keycloak is configured to accept proxy headers and if reverse proxies pass through untrusted headers.Check Version:
keycloak/bin/kc.sh --version or check Keycloak admin console version infoVerify Fix Applied:
Verify Keycloak version is patched per Red Hat advisories and test with proxy header requests.📡 Detection & Monitoring
Log Indicators:
- Unusual DNS resolution failures
- Increased IO thread usage
- Multiple requests with unusual proxy headers
Network Indicators:
- High volume of requests with X-Forwarded-For or similar proxy headers
- DNS query spikes from Keycloak server
SIEM Query:
source="keycloak" AND ("DNS resolution" OR "proxy header" OR "X-Forwarded-For")🔗 References
- https://access.redhat.com/errata/RHSA-2024:10175
- https://access.redhat.com/errata/RHSA-2024:10176
- https://access.redhat.com/errata/RHSA-2024:10177
- https://access.redhat.com/errata/RHSA-2024:10178
- https://access.redhat.com/security/cve/CVE-2024-9666
- https://bugzilla.redhat.com/show_bug.cgi?id=2317440
