OESA-2024-1192

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1192
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-1192.json
JSON Data
https://api.osv.dev/v1/vulns/OESA-2024-1192
Upstream
Published
2024-02-23T11:07:02Z
Modified
2025-09-03T06:20:04.711222Z
Summary
mod_auth_openidc security update
Details

This module enables an Apache 2.x web server to operate as an OpenID Connect Relying Party(RP) to an OpenID Connect Provider(OP).

Security Fix(es):

modauthopenidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on modauthopenidcsessionchunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the modauthopenidcsessionchunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.(CVE-2024-24814)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:22.03-LTS-SP1 / mod_auth_openidc

Package

Name
mod_auth_openidc
Purl
pkg:rpm/openEuler/mod_auth_openidc&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.15.3-1.oe2203sp1

Ecosystem specific 

{
    "src": [
        "mod_auth_openidc-2.4.15.3-1.oe2203sp1.src.rpm"
    ],
    "x86_64": [
        "mod_auth_openidc-debugsource-2.4.15.3-1.oe2203sp1.x86_64.rpm",
        "mod_auth_openidc-2.4.15.3-1.oe2203sp1.x86_64.rpm",
        "mod_auth_openidc-debuginfo-2.4.15.3-1.oe2203sp1.x86_64.rpm"
    ],
    "aarch64": [
        "mod_auth_openidc-debugsource-2.4.15.3-1.oe2203sp1.aarch64.rpm",
        "mod_auth_openidc-2.4.15.3-1.oe2203sp1.aarch64.rpm",
        "mod_auth_openidc-debuginfo-2.4.15.3-1.oe2203sp1.aarch64.rpm"
    ]
}