Vulnerability Details : CVE-2021-32791
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.
Products affected by CVE-2021-32791
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:a:openidc:mod_auth_openidc:*:*:*:*:*:*:*:*When used together with: Apache » Http Server
Exploit prediction scoring system (EPSS) score for CVE-2021-32791
0.70%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32791
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-32791
-
Nonces should be used for the present occasion and only once.Assigned by: security-advisories@github.com (Primary)
-
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2021-32791
-
https://lists.debian.org/debian-lts-announce/2023/04/msg00034.html
[SECURITY] [DLA 3409-1] libapache2-mod-auth-openidc security update
-
https://www.oracle.com/security-alerts/cpuapr2022.html
Oracle Critical Patch Update Advisory - April 2022Patch;Third Party Advisory
-
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9
Release release 2.4.9 · zmartzone/mod_auth_openidc · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZVF6BSJLRQZ7PFFR4X5JSU6KUJYNOCU/
[SECURITY] Fedora 34 Update: mod_auth_openidc-2.4.9-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r
Hardcoded static IV and AAD with a reused key in AES GCM encryption · Advisory · zmartzone/mod_auth_openidc · GitHubPatch;Third Party Advisory
-
https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c
use encrypted JWTs for storing encrypted cache contents · zmartzone/mod_auth_openidc@375407c · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QXAWKPT5LXZSUTFSJ6IWSZC7RMYYQXQD/
[SECURITY] Fedora 33 Update: mod_auth_openidc-2.4.9-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to