CVE-2021-32791

CWE-323 CWE-3306 documents6 sources

Severity

5.9MEDIUM

EPSS

0.3%

top 42.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zmartzone MOD Auth Openidc Openidc MOD Auth Openidc Fedoraproject Fedora

Timeline

PublishedJul 26

Description

mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 on…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Debianlibapache2-mod-auth-openidc< 2.4.9-1+3

▶NVDopenidc/mod_auth_openidc< 2.4.9

▶CVEListV5zmartzone/mod_auth_openidc< 2.4.9

Also affects: Fedora 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

CVEList

Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc↗2021-07-26

▶

OSV

CVE-2021-32791: mod_auth_openidc is an authentication/authorization module for the Apache 2↗2021-07-26

▶

📋Vendor Advisories

Red Hat

mod_auth_openidc: hardcoded static IV and AAD with a reused key in AES GCM encryption↗2021-07-24

▶

Microsoft

Hardcoded static IV and AAD with a reused key in AES GCM encryption in mod_auth_openidc↗2021-07-13

▶

Debian

CVE-2021-32791: libapache2-mod-auth-openidc - mod_auth_openidc is an authentication/authorization module for the Apache 2.x HT...↗2021

▶