Bug 1805102 (CVE-2019-20479)

Summary: CVE-2019-20479 mod_auth_openidc: Open redirect issue exists in URLs with slash and backslash
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jdennis, jhrozek, jpazdziora, puiterwijk, sssd-qe
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_auth_openidc 2.4.1 Doc Type: If docs needed, set a value
Doc Text:
An open redirect flaw was discovered in mod_auth_openidc where it handles logout redirection. The module does not correctly validate the URL, allowing a URL with slash and backslash at the beginning to bypass the protection checks. A victim user may be tricked into visiting a trusted vulnerable web site, which would redirect him to another, possibly malicious, URL.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 19:27:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1805104, 1805748, 1805749, 1820662    
Bug Blocks: 1805106    

Description Dhananjay Arunesh 2020-02-20 09:21:01 UTC 
A vulnerability was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.

Reference:
https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7
https://github.com/zmartzone/mod_auth_openidc/pull/453
Comment 1 Dhananjay Arunesh 2020-02-20 09:21:51 UTC 
Created mod_auth_openidc tracking bugs for this issue:

Affects: fedora-all [bug 1805104]
Comment 2 Riccardo Schirone 2020-02-21 13:01:05 UTC 
Statement:

It is not possible to reproduce the open redirect vulnerability in the versions of mod_auth_openidc as shipped in Red Hat Enterprise Linux 7, as a missing check makes the process crash, due to a NULL pointer dereference, instead of letting it continue with an invalid URL.
Comment 3 Riccardo Schirone 2020-02-21 13:03:27 UTC 
The version of mod_auth_openidc as shipped with Red Hat Enterprise Linux 7 does not contain the patched code, however due to a missing check, this issue does not manifest as an Open Redirect flaw, but it triggers a NULL pointer dereference while parsing the logout URL. For this reason, the only impact on RHEL 7 is to Availability, because the httpd process would die, even though others can take other requests.
Comment 4 Riccardo Schirone 2020-02-21 13:04:45 UTC 
This flaw is similar to CVE-2019-14857, but it is about a new way to bypass the security checks. This one involves URLs beginning with `/\`, while CVE-2019-14857 is about URLs beginning with `///`.
Comment 8 errata-xmlrpc 2020-07-21 14:47:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3032 https://access.redhat.com/errata/RHSA-2020:3032
Comment 9 Product Security DevOps Team 2020-07-21 19:27:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20479
Comment 10 errata-xmlrpc 2020-09-29 20:13:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3970 https://access.redhat.com/errata/RHSA-2020:3970