Spring4shell

On March 31, 2022, the Spring4shell (CVE-2022-22965) vulnerability was disclosed, causing a high impact in many Java projects worldwide. The Keycloak team performed the assessment of our main projects in the same day to understand the impact.

Keycloak Server

The Keycloak, Keycloak Legacy server distributions, as well the container images and also the Keycloak Operator do not make use of any Spring dependency. They are not susceptible to those CVEs.

Keycloak adapters

Keycloak provides adapters for Spring Boot and Spring Security, and they are not part of the Keycloak server distribution. Applications deployed with the requirements described in the Spring guidelines should be affected by CVE-2022-22965 through transitive dependencies.

We appreciate that migrating from the Keycloak adapters to Spring Security is not trivial, but considering the impact of this CVE, we strongly advise to no longer use the Keycloak adapters. Please refer to this blog post from Ger Roza for more details.

Those adapters will soon be deprecated, and more details can be found reading the Spring guidelines

Recommendations

While Keycloak server itself does not use any of those dependencies, and it is not impacted by those CVEs, users deploying our adapters should review the Spring guidelines. And also analyze the applications they manage based on the latest guidance from Spring.

Additional information

None of the Keycloak projects are impacted by the CVEs below:

• CVE-2022-22947: Spring Cloud Gateway versions before 3.1.1+ and 3.0.7+ applications are vulnerable to a code injection attack

• CVE-2022-22963: Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions

For any questions, please do not hesitate to contact us on the Keycloak Security mailing list.