mod_auth_openidc-2.4.10-1.el9
エラータID: AXSA:2024-9233:01
リリース日:
2024/12/12 Thursday - 16:45
題名:
mod_auth_openidc-2.4.10-1.el9
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- mod_auth_openidc の mod_auth_openidc_session_chunks()
関数には、入力された Cookie の値の検証処理が欠落している
ため、リモートの攻撃者により、細工されたリクエストを
介して、サービス拒否攻撃 (処理速度の低下、およびクラッシュ
の発生) を可能とする脆弱性が存在します。(CVE-2024-24814)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-24814
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- mod_auth_openidc-2.4.10-1.el9.src.rpm
MD5: 2b8982d5ac11a51bae2f701d720fbf7c
SHA-256: da9c9725b591ef3b54d71c6341dd6cee9edb676b80ac724d72e18d950c7dc003
Size: 591.04 kB
Asianux Server 9 for x86_64
- mod_auth_openidc-2.4.10-1.el9.x86_64.rpm
MD5: 671a130409ae2d4664f60fe5737ce973
SHA-256: dcd07a351ef0fe3ba8597b9b42c98ca2f8d549bf596e11a739ada3baf296bf07
Size: 194.20 kB
English