Headline
RHSA-2023:4410: Red Hat Security Advisory: mod_auth_openidc:2.3 security update
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-01
Updated:
2023-08-01
RHSA-2023:4410 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: mod_auth_openidc:2.3 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Security Fix(es):
- cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux Server - AUS 8.2 x86_64
- Red Hat Enterprise Linux Server - TUS 8.2 x86_64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2 x86_64
Fixes
- BZ - 2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
Red Hat Enterprise Linux Server - AUS 8.2
SRPM
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.src.rpm
SHA-256: 63123c8a69893d56e8a9cf7e00ab187c4df16c3307c2a232a2e5bfddc48b8414
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.src.rpm
SHA-256: 66bc258d66ae7765d8ba71700f223459971068504eddacad553b6db58534d112
x86_64
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 56f971d2c829e60def5cbf75e327157fcc932a6172555218d7965d4da60a3a70
cjose-debuginfo-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 875e29c6625a482e24cd1b6e6229e9c24a24ea000b250943ae66d839ccd1de4b
cjose-debugsource-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 34bd17d9876957421d7257fb9fbed319afa33f5e0a09987e1950c3abe24c20bf
cjose-devel-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 599128034fc76c47cbb32d64028c77b08e64320b1aec5a291fe7532a260551b2
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 8d74fb286819e138e3ca1f12144cd37b047720ab5ab8da402a46e430cbda12f9
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 75aee496d15e355f2afd159ef120d6ccd6759dc99dc00c5e842d53e4eead9b88
mod_auth_openidc-debugsource-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: a12c2d635dffc1fae1a7cb29ae167b806d59204c766846df2135ec46e5977622
Red Hat Enterprise Linux Server - TUS 8.2
SRPM
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.src.rpm
SHA-256: 63123c8a69893d56e8a9cf7e00ab187c4df16c3307c2a232a2e5bfddc48b8414
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.src.rpm
SHA-256: 66bc258d66ae7765d8ba71700f223459971068504eddacad553b6db58534d112
x86_64
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 56f971d2c829e60def5cbf75e327157fcc932a6172555218d7965d4da60a3a70
cjose-debuginfo-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 875e29c6625a482e24cd1b6e6229e9c24a24ea000b250943ae66d839ccd1de4b
cjose-debugsource-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 34bd17d9876957421d7257fb9fbed319afa33f5e0a09987e1950c3abe24c20bf
cjose-devel-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 599128034fc76c47cbb32d64028c77b08e64320b1aec5a291fe7532a260551b2
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 8d74fb286819e138e3ca1f12144cd37b047720ab5ab8da402a46e430cbda12f9
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 75aee496d15e355f2afd159ef120d6ccd6759dc99dc00c5e842d53e4eead9b88
mod_auth_openidc-debugsource-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: a12c2d635dffc1fae1a7cb29ae167b806d59204c766846df2135ec46e5977622
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.2
SRPM
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.src.rpm
SHA-256: 63123c8a69893d56e8a9cf7e00ab187c4df16c3307c2a232a2e5bfddc48b8414
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.src.rpm
SHA-256: 66bc258d66ae7765d8ba71700f223459971068504eddacad553b6db58534d112
ppc64le
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.ppc64le.rpm
SHA-256: c51fc3703210c958c5e7fea631ec764e62967d38c1c46b0a7f53e044fcf72248
cjose-debuginfo-0.6.1-3.module+el8.2.0+19461+3a40b6ee.ppc64le.rpm
SHA-256: 66206a3bd32f505c7b23d03982163bcaaa9dd133c795bf140b515eedf8aa81df
cjose-debugsource-0.6.1-3.module+el8.2.0+19461+3a40b6ee.ppc64le.rpm
SHA-256: 3439e862a98e8de1f024a37feef0eb9f2dbbca284cce72f5b043204fc19a8823
cjose-devel-0.6.1-3.module+el8.2.0+19461+3a40b6ee.ppc64le.rpm
SHA-256: 56011a3c91bc864334ae272d197d4a145ae48125b52557d7b4d98b8d311e5f97
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.ppc64le.rpm
SHA-256: 0107f20280689723ed58c6ad7f87770393b9a3b22452a72d8eb33d0602faf3c7
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.ppc64le.rpm
SHA-256: 4db3f324fdaffb4baa7dfae763887aad29d3bb133d09ab73a94e4b26548271db
mod_auth_openidc-debugsource-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.ppc64le.rpm
SHA-256: ad01ecf2d08e1af27204a9f05c4f8faf9419a5499074f8a6285899baa0589d52
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.2
SRPM
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.src.rpm
SHA-256: 63123c8a69893d56e8a9cf7e00ab187c4df16c3307c2a232a2e5bfddc48b8414
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.src.rpm
SHA-256: 66bc258d66ae7765d8ba71700f223459971068504eddacad553b6db58534d112
x86_64
cjose-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 56f971d2c829e60def5cbf75e327157fcc932a6172555218d7965d4da60a3a70
cjose-debuginfo-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 875e29c6625a482e24cd1b6e6229e9c24a24ea000b250943ae66d839ccd1de4b
cjose-debugsource-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 34bd17d9876957421d7257fb9fbed319afa33f5e0a09987e1950c3abe24c20bf
cjose-devel-0.6.1-3.module+el8.2.0+19461+3a40b6ee.x86_64.rpm
SHA-256: 599128034fc76c47cbb32d64028c77b08e64320b1aec5a291fe7532a260551b2
mod_auth_openidc-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 8d74fb286819e138e3ca1f12144cd37b047720ab5ab8da402a46e430cbda12f9
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: 75aee496d15e355f2afd159ef120d6ccd6759dc99dc00c5e842d53e4eead9b88
mod_auth_openidc-debugsource-2.3.7-4.module+el8.2.0+6919+ac02cfd2.3.x86_64.rpm
SHA-256: a12c2d635dffc1fae1a7cb29ae167b806d59204c766846df2135ec46e5977622
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.
Red Hat Security Advisory 2023-4417-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4418-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of ...
Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to pro...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets ...
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).