AXSA:2022-3591:01

Release date: 
Friday, July 22, 2022 - 04:50
Subject: 
mod_auth_openidc:2.3 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* mod_auth_openidc: open redirect in oidc_validate_redirect_url() (CVE-2021-32786)
* mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption (CVE-2021-32791)
* mod_auth_openidc: XSS when using OIDCPreservePost On (CVE-2021-32792)
* mod_auth_openidc: open redirect due to target_link_uri parameter not validated (CVE-2021-39191)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2021-32786
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
CVE-2021-32791
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
CVE-2021-32792
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.
CVE-2021-39191
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.

Modularity name: mod_auth_openidc
Stream name: 2.3

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. cjose-0.6.1-2.module+el8+1454+460220d2.src.rpm
    MD5: abc752ec6193c5e56aac49a7b763c694
    SHA-256: 88203ade5950888564defec8727a0d7333f73f185909a161c29d277bfb655433
    Size: 1.52 MB
  2. mod_auth_openidc-2.3.7-11.module+el8+1454+460220d2.src.rpm
    MD5: 8d9ec70c390e4ee10ac50e2045d7e199
    SHA-256: 20f0c3943d17bd002803ab8bb9859eb1bbaf045d4b828da3bfdaff23c06d5b86
    Size: 301.33 kB

Asianux Server 8 for x86_64
  1. cjose-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
    MD5: 1f51ae6d9073b39151155d405e1abe31
    SHA-256: e491552196bc4b8b0274369a77ccaa321acc818b8edc4a7ed757e3e564b9a817
    Size: 183.13 kB
  2. cjose-debugsource-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
    MD5: 9d479e6658605883c2b18c86434edd15
    SHA-256: 6234d937e61155f72c4aa63c177995e6c4a2a200f773ac4606d2e448283c2c53
    Size: 41.24 kB
  3. cjose-devel-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
    MD5: 13f025a45b708716d7f335836e43e6ff
    SHA-256: 27aecae05628a039e8b5a1c52bf03219e139cd14c16c50c05750cb490e8ec899
    Size: 17.38 kB
  4. mod_auth_openidc-2.3.7-11.module+el8+1454+460220d2.x86_64.rpm
    MD5: 1773a74a7776388395951e019e7c9446
    SHA-256: 82bf72ca1022434a0594feb4ff2d77be2b220cf21cac463037f869a0293109c1
    Size: 176.25 kB
  5. mod_auth_openidc-debugsource-2.3.7-11.module+el8+1454+460220d2.x86_64.rpm
    MD5: 29d4ceba8c395033ec10d507fc732c12
    SHA-256: 850f2e437942c82b87ac580afd6eb7ade52d2e1685c7068c33a42b05d216abfc
    Size: 137.57 kB
Copyright 2007-2022 Cybertrust Japan Co., Ltd. All rights reserved.