UBUNTU-CVE-2021-32791

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-32791

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-32791.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-32791

Related

CVE-2021-32791

Published

2021-07-26T17:15:00Z

Modified

2024-10-15T14:08:10Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

modauthopenidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In modauthopenidc before version 2.4.9, the AES GCM encryption in modauthopenidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.

References

Affected packages

Ubuntu:Pro:16.04:LTS / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/ubuntu/libapache2-mod-auth-openidc?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.6.0-1

1.8.5-1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:Pro:18.04:LTS / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/ubuntu/libapache2-mod-auth-openidc?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.6-1

2.3.1-2

2.3.2-1

2.3.2-1build1

2.3.3-1build1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:20.04:LTS / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/ubuntu/libapache2-mod-auth-openidc?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.3.10.2-1

2.4.0.4-1

2.4.1-1

Ecosystem specific

{
    "ubuntu_priority": "low"
}

Ubuntu:22.04:LTS / libapache2-mod-auth-openidc

Package

Name: libapache2-mod-auth-openidc
Purl: pkg:deb/ubuntu/libapache2-mod-auth-openidc?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.9-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "low",
    "binaries": [
        {
            "binary_version": "2.4.9-1",
            "binary_name": "libapache2-mod-auth-openidc"
        },
        {
            "binary_version": "2.4.9-1",
            "binary_name": "libapache2-mod-auth-openidc-dbgsym"
        }
    ]
}