Richard Kettelerij

Name of the Vulnerable Software and Affected Versions: Red Hat Keycloak versions prior to 2.5.1 Description: The issue is related to the implementation of HMAC verification for JWS tokens, which uses a method that runs in non-constant time. This potentially leaves the application vulnerable to timing attacks. Recommendations: For versions prior to 2.5.1, update to version 2.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apache CXF versions prior to 3.0.13 Apache CXF versions 3.1.x prior to 3.1.10 **Description** The issue concerns the OAuth2 Hawk and JOSE MAC Validation code, which does not utilize a constant time MAC signature comparison algorithm. This could potentially be exploited by sophisticated timing attacks. **Recommendations** For Apache CXF versions prior to 3.0.13, update to version 3.0.13 or later. For Apache CXF versions 3.1.x prior to 3.1.10, update to version 3.1.10 or later.