VYPR
Get started
← All advisories
Medium severity5.7NVD Advisory· Published Dec 17, 2024· Updated Apr 15, 2026

CVE-2024-10973

CVE-2024-10973

Description

A vulnerability was found in Keycloak. The environment option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-quarkus-serverMaven
>= 25.0.0, < 26.0.626.0.6

Patches

2
36defd5f33b2

cache-embedded-mtls-enabled is ignored

https://github.com/keycloak/keycloakPedro RuivoNov 5, 2024via ghsa
commit
2 files changed · +12 4
  • quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/infinispan/CacheManagerFactory.java+1 1 modified
    @@ -401,7 +401,7 @@ private static int getStartTimeout() {
 
     private static void configureTransportStack(ConfigurationBuilderHolder builder, EntityManager em) {
         var transportConfig = builder.getGlobalConfigurationBuilder().transport();
-        if (Configuration.isTrue(CachingOptions.CACHE_EMBEDDED_MTLS_ENABLED_PROPERTY)) {
+        if (Configuration.isTrue(CachingOptions.CACHE_EMBEDDED_MTLS_ENABLED)) {
             validateTlsAvailable(transportConfig.build());
             var tls = new TLS()
                   .enabled(true)
  • quarkus/tests/integration/src/test/java/org/keycloak/it/cli/dist/OptionsDistTest.java+11 3 modified
    @@ -33,6 +33,7 @@
 import java.nio.file.Paths;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.keycloak.quarkus.runtime.cli.command.Main.CONFIG_FILE_LONG_NAME;
 
 @DistributionTest
@@ -96,25 +97,32 @@ public void testExpressionsInConfigFile(KeycloakDistribution distribution) {
         result.assertMessage("- log-syslog-app-name: Available only when Syslog is activated.");
     }
 
+    @Test
+    @Order(7)
+    @Launch({"start", "--cache-embedded-mtls-enabled=true", "--http-enabled=true", "--hostname-strict=false"})
+    public void testCacheEmbeddedMtlsEnabled(LaunchResult result) {
+        assertTrue(result.getOutputStream().stream().anyMatch(s -> s.contains("Property cache-embedded-mtls-key-store-file required but not specified")));
+    }
+
     // Start-dev should be executed as last tests - build is done for development mode
 
     @Test
-    @Order(7)
+    @Order(8)
     @Launch({"start-dev", "--test=invalid"})
     public void testServerDoesNotStartIfValidationFailDuringReAugStartDev(LaunchResult result) {
         assertEquals(1, result.getErrorStream().stream().filter(s -> s.contains("Unknown option: '--test'")).count());
     }
 
     @Test
-    @Order(8)
+    @Order(9)
     @Launch({"start-dev", "--log=console", "--log-file-output=json"})
     public void testServerDoesNotStartDevIfDisabledFileLogOption(LaunchResult result) {
         assertEquals(1, result.getErrorStream().stream().filter(s -> s.contains("Disabled option: '--log-file-output'. Available only when File log handler is activated")).count());
         assertEquals(1, result.getErrorStream().stream().filter(s -> s.contains("Possible solutions: --log, --log-console-output, --log-console-level, --log-console-format, --log-console-color, --log-level")).count());
     }
 
     @Test
-    @Order(9)
+    @Order(10)
     @Launch({"start-dev", "--log=file", "--log-file-output=json", "--log-console-color=true"})
     public void testServerStartDevIfEnabledFileLogOption(LaunchResult result) {
         assertEquals(0, result.getErrorStream().stream().filter(s -> s.contains("Disabled option: '--log-file-output'. Available only when File log handler is activated")).count());
071032a108bd

Fixing the condition for embedded cache MTLS encryption

https://github.com/keycloak/keycloakAlexander SchwartzApr 20, 2024via ghsa
commit
1 file changed · +1 1
  • quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.java+1 1 modified
    @@ -179,7 +179,7 @@ private void configureTransportStack(ConfigurationBuilderHolder builder) {
             transportConfig.defaultTransport().stack(transportStack);
         }
 
-        if (Configuration.isTrue(CachingOptions.CACHE_REMOTE_TLS_ENABLED)) {
+        if (Configuration.isTrue(CachingOptions.CACHE_EMBEDDED_MTLS_ENABLED_PROPERTY)) {
             validateTlsAvailable(transportConfig.build());
             var tls = new TLS()
                     .enabled(true)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.