CVE-2024-10973: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in Keycloak where the environment option KC_CACHE_EMBEDDED_MTLS_ENABLED is non-functional, causing JGroups replication configuration to always operate in plain text mode. This vulnerability was assigned CVE-2024-10973 and was disclosed on December 17, 2024. The issue affects Keycloak installations that use JGroups for replication (Red Hat CVE).

The vulnerability stems from a failure in the KC_CACHE_EMBEDDED_MTLS_ENABLED environment option, which is meant to enable encrypted communication for JGroups replication. Due to this issue, the JGroups replication configuration defaults to plain text, regardless of the option setting. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating adjacent network access requirements and potential for high confidentiality impact (NVD).

The vulnerability allows attackers with access to adjacent networks related to JGroups to potentially read sensitive information transmitted during replication processes. Since the communication occurs in plain text instead of being encrypted as intended, this creates a significant confidentiality risk for the affected systems (Red Hat CVE).

As of the disclosure date, there is no specific mitigation information available. Users should monitor official Keycloak channels and Red Hat security advisories for updates and patches (Red Hat CVE).