mod_auth_openidc:2.3 security update
エラータID: AXSA:2022-3591:01
リリース日:
2022/07/22 Friday - 04:50
題名:
mod_auth_openidc:2.3 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- mod_auth_openidc には、oidc_validate_redirect_url() 関数が
多くのブラウザと同じ方法で URL を解析しない問題に起因して、
この関数による検証機能が迂回されログアウト時にオープン
リダイレクト攻撃が可能となる脆弱性があります。
(CVE-2021-32786)
- mod_auth_openidc には、AES GCM 暗号化時に静的な IV
および AAD に起因する静的なナンスが作成されるため、
同じキーを再利用される問題があります。(CVE-2021-32791)
- mod_auth_openidc には、'OIDCPreservePost On' を設定した
場合、クロスサイトスクリプティング攻撃が可能となる脆弱性が
あります。(CVE-2021-32792)
- mod_auth_openidc には、サードパーティーが target_link_uri
パラメーターに細工した URL を指定し SSO 機能を開始する際に
オープンリダイレクト攻撃が可能となる脆弱性があります。
(CVE-2021-39191)
Modularity name: mod_auth_openidc
Stream name: 2.3
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-32786
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9, `oidc_validate_redirect_url()` does not parse URLs the same way as most browsers do. As a result, this function can be bypassed and leads to an Open Redirect vulnerability in the logout functionality. This bug has been fixed in version 2.4.9 by replacing any backslash of the URL to redirect with slashes to address a particular breaking change between the different specifications (RFC2396 / RFC3986 and WHATWG). As a workaround, this vulnerability can be mitigated by configuring `mod_auth_openidc` to only allow redirection whose destination matches a given regular expression.
CVE-2021-32791
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
CVE-2021-32792
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, there is an XSS vulnerability in when using `OIDCPreservePost On`.
CVE-2021-39191
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the 3rd-party init SSO functionality of mod_auth_openidc was reported to be vulnerable to an open redirect attack by supplying a crafted URL in the `target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the `OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri` parameter. There are no known workarounds aside from upgrading to a patched version.
追加情報:
N/A
ダウンロード:
SRPMS
- cjose-0.6.1-2.module+el8+1454+460220d2.src.rpm
MD5: abc752ec6193c5e56aac49a7b763c694
SHA-256: 88203ade5950888564defec8727a0d7333f73f185909a161c29d277bfb655433
Size: 1.52 MB - mod_auth_openidc-2.3.7-11.module+el8+1454+460220d2.src.rpm
MD5: 8d9ec70c390e4ee10ac50e2045d7e199
SHA-256: 20f0c3943d17bd002803ab8bb9859eb1bbaf045d4b828da3bfdaff23c06d5b86
Size: 301.33 kB
Asianux Server 8 for x86_64
- cjose-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
MD5: 1f51ae6d9073b39151155d405e1abe31
SHA-256: e491552196bc4b8b0274369a77ccaa321acc818b8edc4a7ed757e3e564b9a817
Size: 183.13 kB - cjose-debugsource-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
MD5: 9d479e6658605883c2b18c86434edd15
SHA-256: 6234d937e61155f72c4aa63c177995e6c4a2a200f773ac4606d2e448283c2c53
Size: 41.24 kB - cjose-devel-0.6.1-2.module+el8+1454+460220d2.x86_64.rpm
MD5: 13f025a45b708716d7f335836e43e6ff
SHA-256: 27aecae05628a039e8b5a1c52bf03219e139cd14c16c50c05750cb490e8ec899
Size: 17.38 kB - mod_auth_openidc-2.3.7-11.module+el8+1454+460220d2.x86_64.rpm
MD5: 1773a74a7776388395951e019e7c9446
SHA-256: 82bf72ca1022434a0594feb4ff2d77be2b220cf21cac463037f869a0293109c1
Size: 176.25 kB - mod_auth_openidc-debugsource-2.3.7-11.module+el8+1454+460220d2.x86_64.rpm
MD5: 29d4ceba8c395033ec10d507fc732c12
SHA-256: 850f2e437942c82b87ac580afd6eb7ade52d2e1685c7068c33a42b05d216abfc
Size: 137.57 kB
English