Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Update resteasy-client in keycloak-admin-client to resolve CVE-2020-25633
See original GitHub issueDescribe the bug
With version 17.0.1 (https://mvnrepository.com/artifact/org.keycloak/keycloak-admin-client/17.0.1) we find resteasy-client version 3.13.2 which has a known CVE . An upgrade to 6.0.0 should fix that. A manual upgrade of the resteasy client results in a couple of more dependencies which then need to be manually upgraded, finally resulting in the following exception:
Caused by: java.lang.ClassCastException: class org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl cannot be cast to class javax.ws.rs.client.ClientBuilder (org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl and javax.ws.rs.client.ClientBuilder are in unnamed module of loader 'app')
at org.keycloak.admin.client.ClientBuilderWrapper.create(ClientBuilderWrapper.java:29) ~[keycloak-admin-client-17.0.0.jar:17.0.0]
Version
17.0.1
Expected behavior
CVE free successful build
Actual behavior
Caused by: java.lang.RuntimeException: java.lang.ClassCastException: class org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl cannot be cast to class javax.ws.rs.client.ClientBuilder (org.jboss.resteasy.client.jaxrs.internal.ResteasyClientBuilderImpl and javax.ws.rs.client.ClientBuilder are in unnamed module of loader 'app')
at org.keycloak.admin.client.ClientBuilderWrapper.create(ClientBuilderWrapper.java:31) ~[keycloak-admin-client-17.0.0.jar:17.0.0]
at org.keycloak.admin.client.Keycloak.newRestEasyClient(Keycloak.java:66) ~[keycloak-admin-client-17.0.0.jar:17.0.0]
at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:53) ~[keycloak-admin-client-17.0.0.jar:17.0.0]
at org.keycloak.admin.client.KeycloakBuilder.build(KeycloakBuilder.java:147) ~[keycloak-admin-client-17.0.0.jar:17.0.0]
at com.project.core.config.KeyCloakSecurity.keycloak(KeyCloakSecurity.java:132) ~[classes/:?]
at com.project.core.config.KeyCloakSecurity$$EnhancerBySpringCGLIB$$af47bf3.CGLIB$keycloak$5(<generated>) ~[classes/:?]
at com.project.core.config.KeyCloakSecurity$$EnhancerBySpringCGLIB$$af47bf3$$FastClassBySpringCGLIB$$fa61fcce.invoke(<generated>) ~[classes/:?]
at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.16.jar:5.3.16]
at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.16.jar:5.3.16]
at com.project.core.config.KeyCloakSecurity$$EnhancerBySpringCGLIB$$af47bf3.keycloak(<generated>) ~[classes/:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:568) ~[?:?]
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:486) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1352) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1195) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:582) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:542) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:335) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:234) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:333) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:208) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1389) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1309) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.ConstructorResolver.resolveAutowiredArgument(ConstructorResolver.java:887) ~[spring-beans-5.3.16.jar:5.3.16]
at org.springframework.beans.factory.support.ConstructorResolver.createArgumentArray(ConstructorResolver.java:791) ~[spring-beans-5.3.16.jar:5.3.16]
... 19 more
How to Reproduce?
- integrate keycloak-admin-client version 17.0.1
- run owasp scan:
mvn org.owasp:dependency-check-maven:check -Dformats="JSON" -DprettyPrint=true -DskipTests=true
Anything else?
No response
Issue Analytics
- State:
- Created a year ago
- Reactions:11
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Upgrade Resteasy v4 · Issue #10916 · keycloak ... - GitHub
We should now be able to fully upgrade to Resteasy v4. ... Update resteasy-client in keycloak-admin-client to resolve CVE-2020-25633 #11026.
Read more >KeycloakBuilder (Keycloak Docs Distribution 15.0.2 API)
Provides a Keycloak client builder with the ability to customize the underlying RESTEasy client used to communicate with the Keycloak server.
Read more >CVE-2020-25633 - Vulners
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6 ... Red Hat build of Thorntail 2.7.3 security...
Read more >RHSA-2021:1313 - Security Advisory - Red Hat Customer Portal
An update is now available for Red Hat Satellite 6.9 for RHEL 7. ... BZ - 1879042 - CVE-2020-25633 resteasy-client: potential sensitive ...
Read more >Quarkus Quarkus : List of security vulnerabilities - CVE Details
# CVE ID CWE ID Vulnerability Type(s) Publish Date Update Date Score Gaine...
1 CVE‑2022‑21724 665 Exec Code 2022‑02‑02 2022‑11‑09 7.5 None
2 CVE‑2022‑21363 2022‑01‑19...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Please somebody update the dependencies to resteasy - it should not take over a year to update this!! https://mvnrepository.com/artifact/org.keycloak/keycloak-admin-client/18.0.2
It’s a duplicate. The fix is already committed. Just waiting on a release. Ticket can be closed.