Keycloak request_uri SSRF (CVE-2020-10770)
Description
Keycloak versions affected by CVE-2020-10770 contain a Server-Side Request Forgery (SSRF) vulnerability in the OpenID Connect authentication flow. The application fails to properly validate the 'request_uri' parameter, allowing unauthenticated attackers to supply arbitrary URLs that the Keycloak server will fetch. This enables attackers to make the server send requests to internal network resources, cloud metadata services, or other systems that are not directly accessible from the internet, effectively using the Keycloak server as a proxy for malicious requests.
Remediation
Apply security patches immediately by upgrading Keycloak to a version that addresses CVE-2020-10770. Specifically:
1. Upgrade Keycloak: Update to Keycloak version 11.0.1 or later, which includes fixes for this vulnerability
2. Verify Configuration: After upgrading, review your OpenID Connect client configurations and ensure that only trusted request_uri values are permitted
3. Network Segmentation: As a defense-in-depth measure, implement network-level controls to restrict the Keycloak server's ability to make outbound requests to internal networks and cloud metadata endpoints
4. Monitoring: Enable logging for all request_uri parameter usage and monitor for suspicious patterns, such as requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or cloud metadata endpoints
If immediate patching is not possible, consider implementing a Web Application Firewall (WAF) rule to block or validate request_uri parameters containing internal IP addresses or suspicious domains as a temporary mitigation.