漏洞关键信息 CVE标识: CVE-2020-1714 漏洞类型: Lack of checks in ObjectInputStream leading to Remote Code Execution 上报时间: 2019-05-03 10:27 UTC 状态: CLOSED ERRATA 严重程度: high 受影响的Product: Security Response 修复版本: keycloak 11.0.0 相关链接: - https://github.com/keycloak/keycloak/pull/7053 - https://issues.jboss.org/browse/KEYCLOAK-10162 漏洞描述 Keycloak代码库中包含在无类型检查的情况下使用ObjectInputStream的情况。攻击者可能利用此漏洞注入任意序列化的Java对象,这些对象将在权限提升的环境中反序列化,导致远程代码执行。 修复信息 修复编号: - RHSA-2020:2813 - RHSA-2020:2814 - RHSA-2020:2816 - RHSA-2020:2905 - RHSA-2020:3017 - RHSA-2020:3675 - RHSA-2020:3678 - RHSA-2020:4252 - RHSA-2020:5568 影响的产品 Red Hat Single Sign-On 7.4.1 Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6, 7, 8 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6, 7 Red Hat Openshift Application Runtimes Red Hat Runtimes Spring Boot 2.1.15 Red Hat Decision Manager Red Hat Process Automation Red Hat build of Quarkus 1.7.5 Red Hat Fuse 7.8.0