Apache Web Server Users Beware of DoS Attack on mod_auth_openidc Module

CVECVE-2024-24814
CVSScvssV3_1: 7.5
SourceCVE-2024-24814

The mod_auth_openidc module used for authentication in Apache web servers is vulnerable to denial of service attacks. This module implements OpenID Connect functionality to allow users to log in using their Google, Facebook, or other OpenID provider accounts.

Hackers can craft special requests that manipulate the “mod_auth_openidc_session_chunks” cookie value to very large numbers. When the server tries to process these requests, it gets overloaded trying to handle the large cookie data. This can cause the server to become unresponsive or even crash.

With just a few of these malicious requests, attackers can effectively take the Apache server offline. This poses a risk for any website or application relying on Apache for hosting.

The good news is the developers have released an update, version 2.4.15.2, that fixes this cookie validation bug. All Apache mod_auth_openidc users are advised to upgrade immediately. You can check your current version and install any updates to close this security hole.

Taking a few minutes to update your Apache server software can help prevent hackers from launching denial of service attacks in the future. Staying on top of patches and upgrades is important for keeping your site safe and online.

References