Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2023:4418

Опубликовано: 08 авг. 2023
Источник: rocky
Оценка: Important

Описание

Important: mod_auth_openidc:2.3 security update

The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

Security Fix(es):

  • cjose: AES GCM decryption uses the Tag length from the actual Authentication Tag provided in the JWE (CVE-2023-37464)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 8

НаименованиеАрхитектураРелизRPM
cjosex86_643.module+el8.8.0+1406+4a7f5371cjose-0.6.1-3.module+el8.8.0+1406+4a7f5371.x86_64.rpm
cjose-develx86_643.module+el8.8.0+1406+4a7f5371cjose-devel-0.6.1-3.module+el8.8.0+1406+4a7f5371.x86_64.rpm
mod_auth_openidcx86_641.module+el8.7.0+1061+55d14382mod_auth_openidc-2.4.9.4-1.module+el8.7.0+1061+55d14382.x86_64.rpm

Показывать по

Связанные CVE

CVE-2023-37464

Ссылки на источники

Исправления

Связанные уязвимости

ubuntu логотип

CVE-2023-37464

CVSS3: 8.6
ubuntu
больше 2 лет назад

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

redhat логотип

CVE-2023-37464

CVSS3: 7.5
redhat
больше 2 лет назад

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

nvd логотип

CVE-2023-37464

CVSS3: 8.6
nvd
больше 2 лет назад

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

msrc логотип

CVE-2023-37464

msrc
6 месяцев назад

Incorrect Authentication Tag length usage in AES GCM decryption in OpenIDC/cjose

debian логотип

CVE-2023-37464

CVSS3: 8.6
debian
больше 2 лет назад

OpenIDC/cjose is a C library implementing the Javascript Object Signin ...