mod_auth_openidc is an OpenID Certified™ authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. In affected versions missing input validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like 99999999, the server struggles with the request for a long time and finally gets back with a 500 error. Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

The remote Oracle Linux 9 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2024-9180 advisory.

    [2.4.10-1]     Rebase to 2.4.10 version improves state cookies piling up problem       Resolves: RHEL-32450 Race condition in mod_auth_openidc filecache       Resolves: RHEL-25422 mod_auth_openidc: DoS when using                 OIDCSessionType client-cookie and manipulating cookies                 (CVE-2024-24814)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:9180 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: DoS when using `OIDCSessionType client-cookie` and manipulating cookies     (CVE-2024-24814)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.5 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:5289 advisory.

    The mod_auth_openidc is an OpenID Connect authentication module for Apache HTTP Server. It enables an     Apache HTTP Server to operate as an OpenID Connect Relying Party and/or OAuth 2.0 Resource Server.

    Security Fix(es):

    * mod_auth_openidc: DoS when using `OIDCSessionType client-cookie` and manipulating cookies     (CVE-2024-24814)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-5289 advisory.

    cjose     mod_auth_openidc     [2.4.9.4-6]
    - Resolves: RHEL-36492 Race condition in mod_auth_openidc filecache
    - Resolves: RHEL-25421 mod_auth_openidc: DoS when using         OIDCSessionType client-cookie and manipulating cookies         (CVE-2024-24814)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:2299-1 advisory.

    - CVE-2024-24814: Fixed a bug that can led to DoS when `OIDCSessionType client-cookie` is set and a     crafted Cookie header is supplied. (bsc#1219911)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:0758-1 advisory.

  - mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP     server that implements the OpenID Connect Relying Party functionality. In affected versions missing input     validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of     service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they     manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like     99999999, the server struggles with the request for a long time and finally gets back with a 500 error.
    Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests     that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal     effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no     known workarounds for this vulnerability. (CVE-2024-24814)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2024:0757-1 advisory.

  - mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP     server that implements the OpenID Connect Relying Party functionality. In affected versions missing input     validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of     service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they     manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like     99999999, the server struggles with the request for a long time and finally gets back with a 500 error.
    Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests     that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal     effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no     known workarounds for this vulnerability. (CVE-2024-24814)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by a vulnerability as referenced in the dla-3751 advisory.

  - mod_auth_openidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP     server that implements the OpenID Connect Relying Party functionality. In affected versions missing input     validation on mod_auth_openidc_session_chunks cookie value makes the server vulnerable to a denial of     service (DoS) attack. An internal security audit has been conducted and the reviewers found that if they     manipulated the value of the mod_auth_openidc_session_chunks cookie to a very large integer, like     99999999, the server struggles with the request for a long time and finally gets back with a 500 error.
    Making a few requests of this kind caused our server to become unresponsive. Attackers can craft requests     that would make the server work very hard (and possibly become unresponsive) and/or crash with minimal     effort. This issue has been addressed in version 2.4.15.2. Users are advised to upgrade. There are no     known workarounds for this vulnerability. (CVE-2024-24814)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-3c0f2a2771 advisory.

    fix CVE-2024-24814: prevent DoS when OIDCSessionType client-cookie is set and a crafted Cookie header is     supplied

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
211565	Oracle Linux 9 : mod_auth_openidc (ELSA-2024-9180)	Nessus	Oracle Linux Local Security Checks	high
210785	RHEL 9 : mod_auth_openidc (RHSA-2024:9180)	Nessus	Red Hat Local Security Checks	high
210515	RHEL 8 : mod_auth_openidc:2.3 (RHSA-2024:5289)	Nessus	Red Hat Local Security Checks	high
205535	Oracle Linux 8 : mod_auth_openidc:2.3 (ELSA-2024-5289)	Nessus	Oracle Linux Local Security Checks	high
201907	SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2024:2299-1)	Nessus	SuSE Local Security Checks	high
191705	SUSE SLES12 Security Update : apache2-mod_auth_openidc (SUSE-SU-2024:0758-1)	Nessus	SuSE Local Security Checks	high
191626	SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_auth_openidc (SUSE-SU-2024:0757-1)	Nessus	SuSE Local Security Checks	high
191563	Debian dla-3751 : libapache2-mod-auth-openidc - security update	Nessus	Debian Local Security Checks	high
191473	Fedora 39 : mod_auth_openidc (2024-3c0f2a2771)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2024-24814

high

Tenable Plugins

high

high

high

high

high

high

high

high

high