CVE-2021-32791

Published: Jul 26, 2021Modified: Nov 21, 2024

5.9

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.

Affected (3)

Products: Openidc: Mod Auth Openidc · Fedoraproject: Fedora

1 product

Mod Auth Openidc

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Openidc Mod Auth Openidc	Before 2.4.9

Running on/with	Platform Versions
Apache Http Server	From 2.0.0 to 2.4.48

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

Reusing a Nonce, Key Pair in Encryption

Nonces should be used for the present occasion and only once.

Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References (14)

https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9

Source: security-advisories@github.com

Release NotesThird Party Advisory

https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r

Source: security-advisories@github.com

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/

Source: security-advisories@github.com

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.