CVE-2023-6563 is a resource exhaustion vulnerability identified in Red Hat Single Sign-On (RH-SSO) version 7.6 running on Red Hat Enterprise Linux 7. The root cause lies in the Keycloak component used by RH-SSO, specifically when handling offline client sessions in the administrative user interface. In large-scale deployments with millions of offline tokens—typically environments supporting over 500,000 users each maintaining multiple saved sessions—an attacker who can authenticate and create two or more user sessions can trigger the vulnerability by opening the 'consents' tab in the admin UI. This action causes the system to attempt loading an extremely large number of offline client sessions without any throttling or limits on resource allocation. Consequently, the server experiences excessive memory and CPU consumption, which can lead to a denial-of-service (DoS) condition by crashing or severely degrading the availability of the RH-SSO service. The vulnerability does not impact confidentiality or integrity, as it requires authenticated access and does not allow data manipulation or leakage. The CVSS v3.1 score is 7.7, reflecting high severity due to network attack vector, low attack complexity, required privileges, no user interaction, and impact limited to availability with scope change. No public exploits have been reported yet, but the vulnerability poses a significant risk to large-scale identity management deployments relying on RH-SSO 7.6 on RHEL 7.

For European organizations, especially those operating large-scale identity and access management infrastructures using Red Hat Single Sign-On 7.6 on RHEL 7, this vulnerability presents a critical availability risk. Organizations with extensive user bases—such as government agencies, financial institutions, telecommunications providers, and large enterprises—may have millions of offline tokens and multiple user sessions, making them susceptible to resource exhaustion attacks. A successful exploitation could lead to denial of service, disrupting authentication services and potentially halting access to critical applications and services dependent on RH-SSO. This could result in operational downtime, loss of productivity, and damage to reputation. Additionally, the cascading effects of authentication service outages could impact compliance with regulatory requirements such as GDPR, especially if service interruptions affect user data access controls. While no confidentiality or integrity breaches are indicated, the availability impact alone can have severe consequences for business continuity and security posture.

To mitigate CVE-2023-6563, organizations should first monitor and audit the number of offline tokens and user sessions maintained in their RH-SSO deployments, aiming to limit the total count to manageable levels below the millions threshold. Implementing session and token lifecycle management policies to regularly expire and clean up stale offline tokens can reduce risk. Administrators should restrict access to the RH-SSO admin UI, especially the 'consents' tab, to trusted personnel and consider network segmentation or VPN access controls to limit exposure. Applying any official patches or updates from Red Hat as soon as they become available is critical. In the interim, organizations can implement resource usage monitoring and alerting on RH-SSO servers to detect abnormal memory or CPU spikes. Additionally, consider deploying rate limiting or throttling mechanisms at the application or infrastructure level to prevent excessive resource consumption triggered by UI actions. Finally, review and harden authentication and authorization policies to minimize the number of concurrent sessions per user and enforce strong session management practices.