Headline
RHSA-2023:4429: Red Hat Security Advisory: mod_auth_openidc:2.3 security update
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to provide a truncated Authentication Tag and modify the JWE.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
发布:
2023-08-02
已更新:
2023-08-02
RHSA-2023:4429 - Security Advisory
- 概述
- 更新的软件包
概述
Important: mod_auth_openidc:2.3 security update
类型/严重性
Security Advisory: Important
Red Hat Insights 补丁分析
标题
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
描述
The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Security Fix(es):
- cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
受影响的产品
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1 x86_64
修复
- BZ - 2223295 - CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE
参考
- https://access.redhat.com/security/updates/classification/#important
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 8.1
SRPM
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.src.rpm
SHA-256: 44a4e55fd79672a43531f5938c53a15f7a6ef5dbd77375bf293a339b7217f1e1
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.src.rpm
SHA-256: f0b2cef244572f221705a3c997838ddb230c3f8b65007f8dab98befdb3bd3d57
ppc64le
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm
SHA-256: 7c89616ec06411ff6d497b70f0f35bbdcdd1e8315b0334cd31e99ede785c14e2
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm
SHA-256: d037c988e16726e7f00de840947d448f055d77fd6bed44a980cae23baa2e6468
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm
SHA-256: dafbeb8a73cf6db09c22b6e3c3a62dba8c3f6cedc54c7241194b4b78641fca19
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.ppc64le.rpm
SHA-256: 238ed0d87ec60e0d32cd4a7c877a3e87e34b4ea83be10b766bb0de188c3e5ab3
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm
SHA-256: c7cc124a8edc64f2fe77278dc6766c9311eb8f1820d0378a0f8315788de166f3
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm
SHA-256: 1313e6b746ef3d4d0a02a1019acbe412e1a9c1a7b5d8a7f8d5e716cb5b4e2512
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.ppc64le.rpm
SHA-256: e6bae2927654c01b504468dea0e29e2f430a4aae4470098d706f7ea043aff6da
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 8.1
SRPM
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.src.rpm
SHA-256: 44a4e55fd79672a43531f5938c53a15f7a6ef5dbd77375bf293a339b7217f1e1
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.src.rpm
SHA-256: f0b2cef244572f221705a3c997838ddb230c3f8b65007f8dab98befdb3bd3d57
x86_64
cjose-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm
SHA-256: 3545492755bb63432edd694681568538b2a2f7fe3e925aa2d140010d6cbacf48
cjose-debuginfo-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm
SHA-256: 83732ecc28d061a28af8f095aeb86459b7f4fff92201a4155379a1def86d2b2d
cjose-debugsource-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm
SHA-256: d8d978fe74db0e66acfeba2e2fb84bacf3ff238f21742ae856b5190123da43cc
cjose-devel-0.6.1-3.module+el8.1.0+19504+b2d26fa1.x86_64.rpm
SHA-256: 14d1db342cc92fa13b586fa9b08f24c5b416c287fc46c9eeae025e869eb6b02b
mod_auth_openidc-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm
SHA-256: f3f42a61671c2049eadf420612618f0ab1b2a7112b4d0549bf42f43dc1967884
mod_auth_openidc-debuginfo-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm
SHA-256: 28ff9289b3f68d4ffea2b20001130e19307aaf4a7a98e3fb63e0f50a68d1efd0
mod_auth_openidc-debugsource-2.3.7-4.module+el8.1.0+19504+b2d26fa1.3.x86_64.rpm
SHA-256: 7c19f9b8f3dfa4e11b81a6c0f7d9d72f19509789eeee1f4cac91a8760da7f0cd
Red Hat 安全团队联络方式为 [email protected]。 更多联络细节请参考 https://access.redhat.com/security/team/contact/。
Related news
Ubuntu Security Notice 6307-1 - It was discovered that JOSE for C/C++ AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. An attacker could use this to cause a denial of service or might expose sensitive information.
Debian Linux Security Advisory 5472-1 - It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.
Red Hat Security Advisory 2023-4429-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4418-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4411-01 - CJose is C library implementing the Javascript Object Signing and Encryption.
Red Hat Security Advisory 2023-4410-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4409-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
Red Hat Security Advisory 2023-4408-01 - The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.
An update for cjose is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw...
An update for cjose is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets must be applied. This flaw allows an attacker to pro...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryptio...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorre...
An update for the mod_auth_openidc:2.3 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-37464: A vulnerability was found in cjose. The cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the tag length from the actual Authentication Tag provided in the JSON Web Encryption (JWE). A fixed length of 16 octets ...
OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).