Red Hat has released updated images for the Red Hat build of Keycloak 24.0.7 to address three security vulnerabilities: CVE-2024-7341 (session fixation in Elytron SAML adapters), CVE-2024-7318 (One Time Passcode validity exceeding expiration), and CVE-2024-7260 (open redirect on the Account page). These vulnerabilities affect authentication and session handling components within Keycloak, potentially allowing session fixation attacks, extended OTP validity beyond intended limits, and open redirect attacks. The update aligns the containerized Keycloak images for OpenShift with the standalone product release. The advisory confirms the availability of fixed images for multiple architectures and recommends backing up existing installations before updating.

The vulnerabilities impact authentication and session management in Keycloak, potentially allowing attackers to exploit session fixation, misuse OTPs beyond their expiration, or leverage open redirect flaws on the Account page. These issues could undermine the integrity of user sessions and authentication flows. However, no known exploits in the wild have been reported. The overall severity is assessed as medium by Red Hat.

Red Hat has released updated Keycloak 24.0.7 container images that address these vulnerabilities. Users should apply these updated images to their OpenShift deployments after backing up existing installations, including applications, configurations, and databases. Since this is a containerized product for on-premise or private cloud use, remediation is managed by applying the updated images provided by Red Hat. There is no indication from the vendor advisory that additional mitigations or workarounds are required.