Bug 2264092 (CVE-2024-24814)

Summary: CVE-2024-24814 mod_auth_openidc: DoS when using `OIDCSessionType client-cookie` and manipulating cookies
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_auth_openidc 2.4.15.2 Doc Type: ---
Doc Text:
A flaw was found in mod_auth_openidc, an OpenID Certified™ authentication and authorization module for the Apache HTTP server. Missing input validation in the mod_auth_openidc_session_chunks cookie value can make the server vulnerable to a denial of service attack. This issue may allow a remote attacker to craft a request that causes the application or system to slow down or crash due to unhandled errors.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264093    
Bug Blocks: 2264091    

Description Robb Gatica 2024-02-13 21:22:09 UTC 
mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d
https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
Comment 1 Robb Gatica 2024-02-13 21:22:40 UTC 
Created mod_auth_openidc tracking bugs for this issue:

Affects: fedora-all [bug 2264093]
Comment 3 errata-xmlrpc 2024-08-13 15:25:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5289 https://access.redhat.com/errata/RHSA-2024:5289
Comment 4 errata-xmlrpc 2024-11-12 09:02:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9180 https://access.redhat.com/errata/RHSA-2024:9180