CVE-2024-24814 Overview
CVE-2024-24814 is a denial of service vulnerability in mod_auth_openidc, the OpenID Certified authentication and authorization module for the Apache 2.x HTTP server. The module implements OpenID Connect Relying Party functionality on Apache web servers. Affected versions fail to validate input on the mod_auth_openidc_session_chunks cookie value. An attacker can supply an oversized integer such as 99999999, forcing the server to perform excessive work before returning a 500 error. A small number of such requests can render the server unresponsive. Maintainers fixed the issue in version 2.4.15.2. The flaw maps to [CWE-400: Uncontrolled Resource Consumption].
Critical Impact
Unauthenticated remote attackers can exhaust server resources and cause service outages with minimal request volume.
Affected Products
- openidc:mod_auth_openidc versions prior to 2.4.15.2
- Debian Linux 10
- Fedora 39
Discovery Timeline
- 2024-02-13 - CVE-2024-24814 published to NVD
- 2024-02-13 - Patch released in mod_auth_openidc version 2.4.15.2
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-24814
Vulnerability Analysis
The vulnerability resides in the session cookie parsing logic of mod_auth_openidc. When OIDCSessionType client-cookie is configured, the module reads the mod_auth_openidc_session_chunks cookie to determine how many session chunks to assemble from the client request. The module does not validate the upper bound of this integer value before using it as a loop counter or allocation hint.
An internal security audit by the project maintainers confirmed that supplying a value such as 99999999 causes the server worker to consume CPU and memory for an extended duration before returning HTTP 500. Repeating the request a few times exhausts Apache worker processes and renders the server unresponsive.
Root Cause
The root cause is missing input validation on the mod_auth_openidc_session_chunks cookie value [CWE-400]. The module trusts the client-supplied chunk count without applying a sane maximum, allowing an attacker to dictate the size of an internal processing loop.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP request to any endpoint protected by mod_auth_openidc with a crafted Cookie header containing an oversized mod_auth_openidc_session_chunks value. The Apache worker handling the request becomes tied up processing the bogus chunk count. A handful of concurrent requests is sufficient to exhaust the available worker pool.
# Excerpt from the upstream ChangeLog for release 2.4.15.2
+02/13/2024
+- CVE-2024-24814: prevent DoS when `OIDCSessionType client-cookie` is set and a crafted Cookie header is supplied
+ https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv
+- release 2.4.15.2
+
01/31/2024
- avoid crash when Forwarded is not present but OIDCXForwardedHeaders is configured for it; see #1171; thanks @daviddpd
- bump to 2.4.15.2dev
Source: OpenIDC GitHub commit 4022c12f
Detection Methods for CVE-2024-24814
Indicators of Compromise
- HTTP requests containing a mod_auth_openidc_session_chunks cookie with abnormally large integer values (for example, values above a few hundred).
- Apache error_log entries showing HTTP 500 responses correlated with session cookie processing.
- Spikes in Apache worker CPU utilization or worker pool saturation following inbound requests to OIDC-protected endpoints.
Detection Strategies
- Inspect inbound HTTP Cookie headers at the reverse proxy or WAF layer for mod_auth_openidc_session_chunks values exceeding a sane threshold.
- Correlate Apache access logs with 500-status responses on OIDC-protected URLs and group by source IP to identify probing.
- Monitor process metrics for sustained high CPU usage in httpd/apache2 worker processes without a corresponding increase in legitimate request volume.
Monitoring Recommendations
- Forward Apache access and error logs to a centralized analytics platform and alert on bursts of 500 responses from OIDC endpoints.
- Track Apache mod_status metrics for worker exhaustion and queue depth.
- Baseline normal cookie sizes and values for mod_auth_openidc_session_chunks and alert on outliers.
How to Mitigate CVE-2024-24814
Immediate Actions Required
- Upgrade mod_auth_openidc to version 2.4.15.2 or later on all Apache HTTP Server instances.
- Apply the corresponding distribution updates for Debian 10 (via the Debian LTS advisory) and Fedora 39 (via the Fedora package announcement).
- Restart the Apache service after the upgrade so worker processes load the patched module.
Patch Information
The fix was delivered in mod_auth_openidc release 2.4.15.2 via commit 4022c12f314bd89d127d1be008b1a80a08e1203d. Release notes and the underlying patch are documented in the OpenIDC Security Advisory GHSA-hxr6-w4gc-7vvv. Distribution updates are available through the Debian LTS Announcement and the Fedora Package Announcement.
Workarounds
- No official workarounds exist; the upstream advisory states upgrading is the only remediation.
- As an interim compensating control, deploy a WAF or reverse proxy rule that strips or rejects requests where mod_auth_openidc_session_chunks exceeds a small numeric ceiling.
- Apply rate limiting on OIDC-protected endpoints to reduce the blast radius of denial of service attempts until patches are deployed.
# Example: Debian/Ubuntu upgrade
sudo apt-get update
sudo apt-get install --only-upgrade libapache2-mod-auth-openidc
sudo systemctl restart apache2
# Verify the installed version is 2.4.15.2 or later
apache2ctl -M | grep auth_openidc
dpkg -l | grep libapache2-mod-auth-openidc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
