Twistlock issue in keycloak 26.0.0 (io.netty_netty-common)

Getting advice
1

Hi Keycloak team,

Keycloak is packaging io.netty_netty-common which is having the following High severity vulnerability. This is fixed in 4.1.115 version. Please let us know when keycloak will fix this issue.

Thanks in advance!

Thanks,

Sreehari

Registry Repository Tag Id Scan Time Pass Type Distro Hostname Layer CVE ID Compliance ID Result Type Severity Packages Source Package Package Version Package License CVSS Fix Status Fix Date Grace Days Vulnerability Tags Description Cause Published Custom Labels Vulnerability Link PURL
sha256:a3fd6ee4a5ca65d1c6dd92bf5601eebf3f38c65d00dbfb95f4471c8b69c99508 42:12.2 TRUE ciImage suse-15.6 CVE-2024-47535 47 fail java high io.netty_netty-common 4.1.111.Final 5.5 fixed in 4.1.115 50:13.0 ### Summary An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attemps to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. ### Details When the library netty is loaded in a java windows application, the library tries to identify the system environnement in which it is executed. At this stage, Netty tries to load both /etc/os-release and /usr/lib/os-release even though it is in a Windows environment. 1 If netty finds this files, it reads them and loads them into memory. By default : - The JVM maximum memory size is set to 1 GB, - A non-privileged user can create a directory at C:\ and create files within it.
2
2680×443 19.8 KB
3
31046×166 7.55 KB
the source code identified : netty/common/src/main/java/io/netty/util/internal/PlatformDependent.java at 4.1 · netty/netty · GitHub Despite the implementation of the function normalizeOs() the source code not verify the OS before reading C:\etc\os-release and `C:\usr\lib\os-release		 53:17.0 NVD - CVE-2024-47535 pkg:maven/io.netty/netty-common@4.1.111.Final

Thanks

Sreehari

2

This is a community forum where the maintainers of Keycloak do not read the posts. If you have any security concerns, please follow the instructions on the website: Security Policy - Keycloak
Thanks for your understanding.

3

Thanks @dasniko ! I did report to keycloak-security@googlegroups.com. But, I got a reply saying "All fixes to dependencies will be handled publically. " Is there any other forum where I can ask for fix?