Impact
When configured to use an unencrypted Redis cache (OIDCCacheEncrypt off, OIDCSessionType server-cache, OIDCCacheType redis), mod_auth_openidc wrongly performed argument interpolation before passing Redis requests to hiredis, which would perform it again and lead to an uncontrolled format string bug.
Initial assessment shows that this bug does not appear to allow gaining arbitrary code execution, but can reliably provoke a denial of service by repeatedly crashing the Apache workers.
Patches
This bug has been corrected by performing argument interpolation only once, using the hiredis API.
Workarounds
If you can't upgrade to mod_auth_openidc 2.4.9, this vulnerability can be mitigated by setting OIDCCacheEncrypt to on, as cache keys are cryptographically hashed before use when this option is enabled.
For more information
If you have any questions or comments about this advisory, you can contact:
- The original reporters, by sending an email to vulnerability.research [at] sonarsource.com;
- The maintainers, by opening an issue on this repository.
thomas-chauchefoin-sonarsource Analyst
Impact
When configured to use an unencrypted Redis cache (
OIDCCacheEncrypt off,OIDCSessionType server-cache,OIDCCacheType redis),mod_auth_openidcwrongly performed argument interpolation before passing Redis requests tohiredis, which would perform it again and lead to an uncontrolled format string bug.Initial assessment shows that this bug does not appear to allow gaining arbitrary code execution, but can reliably provoke a denial of service by repeatedly crashing the Apache workers.
Patches
This bug has been corrected by performing argument interpolation only once, using the
hiredisAPI.Workarounds
If you can't upgrade to
mod_auth_openidc2.4.9, this vulnerability can be mitigated by settingOIDCCacheEncrypttoon, as cache keys are cryptographically hashed before use when this option is enabled.For more information
If you have any questions or comments about this advisory, you can contact: