CVE-2021-32791

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

History

07 Nov 2023, 03:35

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/', 'name': 'FEDORA-2021-e3017c538a', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/', 'name': 'FEDORA-2021-17f5cedf66', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/ -

25 May 2023, 20:18

Type Values Removed Values Added
First Time Openidc mod Auth Openidc
Openidc
CPE cpe:2.3:a:zmartzone:mod_auth_openidc:*:*:*:*:*:*:*:* cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*

30 Apr 2023, 23:15

Type Values Removed Values Added
CWE CWE-323
References
  • (MLIST) https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html -

10 May 2022, 18:02

Type Values Removed Values Added
References (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

20 Apr 2022, 00:15

Type Values Removed Values Added
References
  • (MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

09 Aug 2021, 17:59

Type Values Removed Values Added
CPE cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
References
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/ - Mailing List, Third Party Advisory
  • (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/ - Mailing List, Third Party Advisory
CVSS v2 : 5.0
v3 : 7.5
v2 : 4.3
v3 : 5.9

04 Aug 2021, 16:06

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
References (CONFIRM) https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r - (CONFIRM) https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r - Patch, Third Party Advisory
References (MISC) https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c - (MISC) https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c - Patch, Third Party Advisory
References (MISC) https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9 - (MISC) https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9 - Release Notes, Third Party Advisory
CPE cpe:2.3:a:zmartzone:mod_auth_openidc:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
CWE CWE-330

26 Jul 2021, 17:21

Type Values Removed Values Added
New CVE

Information

Published : 2021-07-26 17:15

Updated : 2023-12-10 13:55


NVD link : CVE-2021-32791

Mitre link : CVE-2021-32791

CVE.ORG link : CVE-2021-32791


JSON object : View

Products Affected

apache

  • http_server

openidc

  • mod_auth_openidc

fedoraproject

  • fedora
CWE
CWE-323

Reusing a Nonce, Key Pair in Encryption

CWE-330

Use of Insufficiently Random Values