CVE-2024-9666: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-9666) was discovered in the Keycloak Server affecting versions 26 and earlier. The vulnerability was disclosed on November 25, 2024, impacting the server's proxy header handling mechanism (NVD, Red Hat Bugzilla).

The vulnerability stems from improper handling of proxy headers in Keycloak Server. When configured to accept incoming proxy headers, the server may accept non-IP values, including obfuscated identifiers, without proper validation. For successful exploitation in Keycloak version 26, specific conditions must be met: the realm must have SslRequired=EXTERNAL (default setting), HTTP must be enabled, the instance must not use a full hostname URL, access must come from behind a proxy, and trusted proxies must either not be set or incorrectly trust the originating client request (Red Hat Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability can lead to costly DNS resolution operations, which an attacker could exploit to tie up IO threads and potentially cause a denial of service (DoS) in the Keycloak Server. This can affect the availability of authentication and single sign-on capabilities for web and mobile applications relying on the affected Keycloak instance (NVD).

Red Hat has released security updates to address this vulnerability across multiple versions of Keycloak. Updates are available in Keycloak versions 24.0.9 and 26.0.6 through various security advisories (RHSA-2024:10175, RHSA-2024:10176, RHSA-2024:10177, and RHSA-2024:10178). The vulnerability has been resolved through a fix implemented in the Keycloak codebase (Red Hat Errata).