Bug 1190223 – VUL-0: CVE-2021-39191: apache2-mod_auth_openidc: open redirect issue in target_link_uri parameter

Bug 1190223 - (CVE-2021-39191) VUL-0: CVE-2021-39191: apache2-mod_auth_openidc: open redirect issue in target_link_uri parameter

(CVE-2021-39191)
Summary:	VUL-0: CVE-2021-39191: apache2-mod_auth_openidc: open redirect issue in targe...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/309102/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-39191:4.7:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-09-06 12:55 UTC by Gabriele Sonnu
Modified:	2022-04-14 13:38 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriele Sonnu 2021-09-06 12:55:33 UTC

mod_auth_openidc is an authentication/authorization module for the Apache 2.x
HTTP server that functions as an OpenID Connect Relying Party, authenticating
users against an OpenID Connect Provider. In versions prior to 2.4.9.4, the
3rd-party init SSO functionality of mod_auth_openidc was reported to be
vulnerable to an open redirect attack by supplying a crafted URL in the
`target_link_uri` parameter. A patch in version 2.4.9.4 made it so that the
`OIDCRedirectURLsAllowed` setting must be applied to the `target_link_uri`
parameter. There are no known workarounds aside from upgrading to a patched
version.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-39191
https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d
https://github.com/zmartzone/mod_auth_openidc/releases/tag/v2.4.9.4
https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39191
https://github.com/zmartzone/mod_auth_openidc/issues/672
http://www.cvedetails.com/cve/CVE-2021-39191/

Comment 1 Gabriele Sonnu 2021-09-06 12:55:53 UTC

Affected packages:

 - SUSE:SLE-12-SP2:Update/apache2-mod_auth_openidc  2.4.0
 - SUSE:SLE-15-SP1:Update/apache2-mod_auth_openidc  2.3.8
 - openSUSE:Factory/apache2-mod_auth_openidc        2.4.9.3

Upstream patch:

https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d

Comment 4 Gianluca Gabrielli 2021-09-24 14:28:13 UTC

@Danilo: please check out the regression in bsc#1190855 and resubmit the patch once fixed. Thanks

Comment 6 Swamp Workflow Management 2021-10-12 16:47:23 UTC

SUSE-SU-2021:3352-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1188638,1188639,1188848,1188849,1190223
CVE References: CVE-2021-32785,CVE-2021-32786,CVE-2021-32791,CVE-2021-32792,CVE-2021-39191
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    apache2-mod_auth_openidc-2.4.0-3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Gabriele Sonnu 2022-04-07 08:36:43 UTC

@Danilo: please resubmit for SUSE:SLE-15-SP1:Update/apache2-mod_auth_openidc.

Comment 9 Danilo Spinella 2022-04-14 13:35:18 UTC

Hi Gianluca, I have resubmitted as requested.

Comment 10 Gabriele Sonnu 2022-04-14 13:38:35 UTC

Thanks, closing.