mod_auth_openidc:2.3 security update
エラータID: AXSA:2024-8687:01
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Security Fix(es):
* mod_auth_openidc: DoS when using `OIDCSessionType client-cookie` and manipulating cookies (CVE-2024-24814)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2024-24814
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Modularity name: "mod_auth_openidc"
Stream name: "2.3"
Update packages.
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
N/A
SRPMS
- cjose-0.6.1-4.module+el8+1795+f5e70d65.src.rpm
MD5: 0d3976c4e0372909dde0ad6475846ad7
SHA-256: 41ae7496572dd0f608e7d5fb8d0935103e1bf01ac0c126f14754c370e8ed9a0f
Size: 1.52 MB - mod_auth_openidc-2.4.9.4-6.module+el8+1795+f5e70d65.src.rpm
MD5: 35ae324fe518b87273082533b0c305a0
SHA-256: de2a87f4a8f5d3c4ea3c29b29c97244e15fce9abb347f8d54f1f412139d31fcb
Size: 274.05 kB
Asianux Server 8 for x86_64
- cjose-0.6.1-4.module+el8+1795+f5e70d65.x86_64.rpm
MD5: f9bbd83cc247050be94c5404339ef025
SHA-256: 38610219713168fb493f5e89aed435b3ce14c19fd21241434dc9365def1bb961
Size: 183.39 kB - cjose-debugsource-0.6.1-4.module+el8+1795+f5e70d65.x86_64.rpm
MD5: 37c359f5eb98c3156236eaf10ca871bd
SHA-256: 8b3bf10bdf59336d7a795a6b119dd578e03cf009deb466b7a71bfc7bd624f17e
Size: 41.53 kB - cjose-devel-0.6.1-4.module+el8+1795+f5e70d65.x86_64.rpm
MD5: 7bd09121d613248ac53013f172dc90fb
SHA-256: faa64f3ff527789d7d687cd5007f7b2652c070ad48cafe5ab00b6f68c3af8a26
Size: 17.64 kB - mod_auth_openidc-2.4.9.4-6.module+el8+1795+f5e70d65.x86_64.rpm
MD5: 70f58c64a2f8f5dccef1b8ace174f935
SHA-256: f48912640ea5e60f256a361d946291e63af5846f24dc609a7e7abddbc09888d9
Size: 196.65 kB - mod_auth_openidc-debugsource-2.4.9.4-6.module+el8+1795+f5e70d65.x86_64.rpm
MD5: 62330553dd02ae8f4fd3c18b6956e32d
SHA-256: 9243965aa00ac828b7acdee93dc16d6423a34bbbf44e9f54f32d7030e8c4b88c
Size: 150.38 kB
日本語