mod_auth_openidc:2.3 security update

エラータID: AXSA:2023-6296:01

Release date: 
Friday, August 4, 2023 - 06:43
Subject: 
mod_auth_openidc:2.3 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

* cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-37464
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

Modularity name: mod_auth_openidc
Stream name: 2.3

Solution: 

Update packages.

CVEs: 
CVE-2023-37464
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).
Additional Info: 

N/A

Download: 

SRPMS
  1. cjose-0.6.1-3.module+el8+1651+93bcdc1a.src.rpm
    MD5: 089c83a774572fdb486c7923e1ed28ef
    SHA-256: 374e8229d650f98126994ec048262d21efbbc48f36d577ab1a614a4e30dd3dda
    Size: 1.52 MB
  2. mod_auth_openidc-2.4.9.4-1.module+el8+1651+93bcdc1a.src.rpm
    MD5: b5842556cbf75da1b5ff364f0e3f51d6
    SHA-256: c86782a4e9443b899292589f713901bcc8b24d99026cf129fa526ffd9a731b07
    Size: 269.11 kB

Asianux Server 8 for x86_64
  1. cjose-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
    MD5: 14aed8a6b1e51fd04d94685034953ebc
    SHA-256: 39a092e1403d2ff12a416ca90c134560be3e0277feab02ff20a32f442de65c5a
    Size: 183.38 kB
  2. cjose-debugsource-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
    MD5: 0333eed27de9b61100be8e33cd87a506
    SHA-256: a4e040a5ddb81d9ced2eb97e43ca581d0869e5e28114f9e83c00cd7990a9a2ae
    Size: 41.49 kB
  3. cjose-devel-0.6.1-3.module+el8+1651+93bcdc1a.x86_64.rpm
    MD5: db1cc0e2ce6c7f1732afc61671d80ee9
    SHA-256: 19cf4bb92831b90fd2775b5e484931d8e0cb31c816f2e36647ade68d9a416c2d
    Size: 17.60 kB
  4. mod_auth_openidc-2.4.9.4-1.module+el8+1651+93bcdc1a.x86_64.rpm
    MD5: 4779df828173622007a602638b15e979
    SHA-256: 013adb73be54596290be2c55f05cd0376cdb82b066b335859c3d5672a41e7c29
    Size: 195.09 kB
  5. mod_auth_openidc-debugsource-2.4.9.4-1.module+el8+1651+93bcdc1a.x86_64.rpm
    MD5: 400dba49177d64e5d94b631586115b80
    SHA-256: 136805dea5e726d2f4c1f13c5f6cad94a00307657bf0e98751438b9744176b82
    Size: 149.12 kB