Headline

RHSA-2023:4408: Red Hat Security Advisory: mod_auth_openidc:2.3 security update

An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE.

1 year ago

Red Hat Security Data

Open in Source

#vulnerability #web #linux #red_hat #apache #nodejs #js #java #kubernetes #aws #oauth #auth #ibm #sap

Skip to navigation Skip to main content

Utilities

Subscriptions
Downloads
Containers
Support Cases

Infrastructure and Management

Red Hat Enterprise Linux
Red Hat Satellite
Red Hat Subscription Management
Red Hat Insights
Red Hat Ansible Automation Platform

Cloud Computing

Red Hat OpenShift
Red Hat OpenStack Platform
Red Hat OpenShift Container Platform
Red Hat OpenShift Data Science
Red Hat OpenShift Dedicated
Red Hat Advanced Cluster Security for Kubernetes
Red Hat Advanced Cluster Management for Kubernetes
Red Hat Quay
Red Hat CodeReady Workspaces
Red Hat OpenShift Service on AWS

Storage

Red Hat Gluster Storage
Red Hat Hyperconverged Infrastructure
Red Hat Ceph Storage
Red Hat OpenShift Data Foundation

Runtimes

Red Hat Runtimes
Red Hat JBoss Enterprise Application Platform
Red Hat Data Grid
Red Hat JBoss Web Server
Red Hat Single Sign On
Red Hat support for Spring Boot
Red Hat build of Node.js
Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-08-01

Updated:

2023-08-01

RHSA-2023:4408 - Security Advisory

Overview
Updated Packages

Synopsis

Important: mod_auth_openidc:2.3 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6 x86_64
Red Hat Enterprise Linux Server - AUS 8.6 x86_64
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 8.6 s390x
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 8.6 ppc64le
Red Hat Enterprise Linux Server - TUS 8.6 x86_64
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 8.6 aarch64
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.6 ppc64le
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.6 x86_64

Fixes

BZ - 2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE

Red Hat Enterprise Linux for x86_64 - Extended Update Support 8.6

SRPM

cjose-0.6.1-3.module+el8.6.0+19463+7d2e1f9c.src.rpm

SHA-256: 6a6369d016f404919a18c6e53408858ce257a61286b8281c7a174f2228076a63

mod_auth_openidc-2.3.7-11.module+el8.6.0+14082+b6f23e95.src.rpm

SHA-256: 2c14d1f0b3f38b3085d3be4f35fa40d7fd83e94c7445913d583b539f2ce97d91

x86_64

cjose-0.6.1-3.module+el8.6.0+19463+7d2e1f9c.x86_64.rpm

SHA-256: f11201d37a6b4aac013f312fa390fc0b455fdf47b9fe70c430f0e44d080a3c7f

cjose-debuginfo-0.6.1-3.module+el8.6.0+19463+7d2e1f9c.x86_64.rpm

SHA-256: 999b6cdf4eb71306884e361f0c3d63ac664cf2eda570a10ad079383cf18c8dc7

cjose-debugsource-0.6.1-3.module+el8.6.0+19463+7d2e1f9c.x86_64.rpm

SHA-256: c45db85d604abc3d5053d3cff6625a595b6e04a07161c2c7eaccdef3a8f85ccb

cjose-devel-0.6.1-3.module+el8.6.0+19463+7d2e1f9c.x86_64.rpm

SHA-256: 413ebd088cc964f649d18c48acfd9c0983680528dd57c27da514f4020fabc1a9

mod_auth_openidc-2.3.7-11.module+el8.6.0+14082+b6f23e95.x86_64.rpm

SHA-256: 6ec8a054b8a0357afd978b640f73697ffdee31a89e49857782556d096ddd4cc3

mod_auth_openidc-debuginfo-2.3.7-11.module+el8.6.0+14082+b6f23e95.x86_64.rpm

SHA-256: c4681daf0fd7ee6a81b6bf1c8235ebec0e2f79c0a7e28093cdc0cce262eb9f60

mod_auth_openidc-debugsource-2.3.7-11.module+el8.6.0+14082+b6f23e95.x86_64.rpm

SHA-256: a3a90b16597387cc8e027b27eedd64147b8d52e7107e0d8a65c84fd97f41dd1a

Red Hat Enterprise Linux Server - AUS 8.6