CVE-2023-6563: 
Java vulnerability analysis and mitigation

An unconstrained memory consumption vulnerability (CVE-2023-6563) was discovered in Keycloak, affecting versions up to (excluding) 21.0.0. The vulnerability was disclosed on December 14, 2023, impacting Red Hat Single Sign-On and Keycloak installations. This security issue affects environments with large numbers of offline tokens, specifically those with more than 500,000 users having at least 2 saved sessions (NVD, Red Hat Bugzilla).

The vulnerability is classified as an Allocation of Resources Without Limits or Throttling (CWE-770) with a CVSS v3.1 base score of 7.7 (HIGH). The issue occurs when an attacker creates two or more user sessions and then accesses the 'consents' tab of the admin User Interface. This action triggers the UI to attempt loading a huge number of offline client sessions, leading to excessive memory and CPU consumption (NVD, GitHub Issue).

When exploited, this vulnerability can potentially crash the entire system due to excessive memory and CPU consumption. The impact is particularly severe in environments with millions of offline tokens, where the system attempts to process an overwhelming number of client sessions simultaneously (NVD).

Red Hat has released security updates to address this vulnerability across multiple platforms. Updates are available for Red Hat Single Sign-On 7.6.6 for RHEL 7, 8, and 9, as well as OpenShift Container Platform versions. Users are advised to update to the latest version of Keycloak (21.0.0) or apply the appropriate security patches (Red Hat Advisory).