Bug 1190223 - (CVE-2021-39191) VUL-0: CVE-2021-39191: apache2-mod_auth_openidc: open redirect issue in target_link_uri parameter
(CVE-2021-39191)
VUL-0: CVE-2021-39191: apache2-mod_auth_openidc: open redirect issue in targe...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/309102/
CVSSv3.1:SUSE:CVE-2021-39191:4.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-09-06 12:55 UTC by Gabriele Sonnu
Modified: 2022-04-14 13:38 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2021-09-06 12:55:33 UTC
mod_auth_openidc is an authentication/authorization module for the Apache 2.x
HTTP server that functions as an OpenID Connect Relying Party, authenticating
users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the
3rd-party init SSO functionality of mod_auth_openidc was reported to be
vulnerable to an open redirect attack by supplying a crafted URL in the
`target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the
`OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri`
parameter. There are no known workarounds aside from upgrading to a patched
version.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39191
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.4
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39191
https://github.com/zmartzone/mod_auth_openidc/issues/672
http://www.cvedetails.com/cve/CVE-2021-39191/
Comment 1 Gabriele Sonnu 2021-09-06 12:55:53 UTC
Affected packages:

 - SUSE:SLE-12-SP2:Update/apache2-mod_auth_openidc  2.4.0
 - SUSE:SLE-15-SP1:Update/apache2-mod_auth_openidc  2.3.8
 - openSUSE:Factory/apache2-mod_auth_openidc        2.4.9.3

Upstream patch:

https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
Comment 4 Gianluca Gabrielli 2021-09-24 14:28:13 UTC
@Danilo: please check out the regression in bsc#1190855 and resubmit the patch once fixed. Thanks
Comment 6 Swamp Workflow Management 2021-10-12 16:47:23 UTC
SUSE-SU-2021:3352-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188638,1188639,1188848,1188849,1190223
CVE References: CVE-2021-32785,CVE-2021-32786,CVE-2021-32791,CVE-2021-32792,CVE-2021-39191
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    apache2-mod_auth_openidc-2.4.0-3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Gabriele Sonnu 2022-04-07 08:36:43 UTC
@Danilo: please resubmit for SUSE:SLE-15-SP1:Update/apache2-mod_auth_openidc.
Comment 9 Danilo Spinella 2022-04-14 13:35:18 UTC
Hi Gianluca, I have resubmitted as requested.
Comment 10 Gabriele Sonnu 2022-04-14 13:38:35 UTC
Thanks, closing.