[
https://issues.apache.org/jira/browse/DATALAB-2858?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568506#comment-17568506
]
Oleksandr Polishchuk edited comment on DATALAB-2858 at 7/19/22 12:07 PM:
-------------------------------------------------------------------------
The rectangle appeared due to the incompleteness of the upper background on the
entire screen. The problem is solved, but at the same time I had to disable
theme caching in keycloak, because it is impossible to update the changes.
Caching is disabled in files
/opt/keycloak-18.0.1/standalone/configuration/standalone-ha.xml and
/opt/keycloak-18.0.1/standalone/configuration/standalone.xml:
!https://i.imgur.com/9MtFtch.png!
Default values for variables:
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>true</cacheThemes>
<cacheTemplates>true</cacheTemplates>
was (Author: JIRAUSER284397):
The rectangle appeared due to the incompleteness of the upper background on the
entire screen. The problem is solved, but at the same time I had to disable
theme caching in keycloak, because it is impossible to update the changes.
Caching is disabled in files
/opt/keycloak-18.0.1/standalone/configuration/standalone-ha.xml and
/opt/keycloak-18.0.1/standalone/configuration/standalone.xml:
Default values for variables:
<staticMaxAge>2592000</staticMaxAge>
<cacheThemes>true</cacheThemes>
<cacheTemplates>true</cacheTemplates>
> Upgrade dev keycloak
> ---------------------
>
> Key: DATALAB-2858
> URL: https://issues.apache.org/jira/browse/DATALAB-2858
> Project: Apache DataLab
> Issue Type: Task
> Security Level: Public(Regular Issues)
> Components: DataLab Main
> Reporter: Vira Vitanska
> Assignee: Oleksandr Polishchuk
> Priority: Critical
> Labels: AWS, DevOps
> Original Estimate: 0.5m
> Remaining Estimate: 0.5m
>
> *Threat / Description:*
> Keycloak is an open source Identity and Access Management solution targeted
> towards modern applications and services. A flaw was found in Keycloak before
> 13.0.0, where it is possible to force the server to call out an unverified
> URL using the OIDC parameter request_uri. This flaw allows an attacker to use
> this parameter to execute a Server-side request forgery (SSRF) attack.
>
> Affected Versions:
> Keycloak versions prior to 13.0.0
> QID Detection Logic:
> This detection sends a specially-crafted GET request with request_uri
> parameter where vulnerable servers will make a DNS query that will trigger
> the Qualys Periscope detection mechanism.
>
> *Impact:*
> Successful exploitation of this vulnerability may allow an remote attacker
> could exploit this vulnerability to execute a Blind SSRF attack by measuring
> the response time to perform a port scan of the target server or internally
> accessible hosts.
>
> *Solution:*
> Upgrade to [Keycloak 13.0.0 |https://www.keycloak.org/downloads.html]version
> or later
> ----
> KeyCloak is updated to v.18.0.1, but during log in/out black rectangle shows
> up on DataLab WEB UI. Please, investigate who is responsible for it. An who
> is in charge is supposed to get rid of this rectangle.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
