CVE-2024-24814: 
Rocky Linux vulnerability analysis and mitigation

A vulnerability was discovered in mod_auth_openidc, an OpenID Connect authentication module for the Apache HTTP server, identified as CVE-2024-24814. The vulnerability affects versions 2.0.0 through 2.4.15.1 and was disclosed on February 13, 2024. The issue stems from missing input validation on the mod_auth_openidc_session_chunks cookie value when using the OIDCSessionType client-cookie configuration (GitHub Advisory).

The vulnerability occurs when the OIDCSessionType is set to client-cookie configuration. An attacker can manipulate the value of the mod_auth_openidc_session_chunks cookie by setting it to a very large integer (e.g., 99999999), causing the server to struggle with processing the request. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Moderate) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

When exploited, this vulnerability can lead to a Denial of Service (DoS) condition. Making multiple requests with manipulated cookie values can cause the server to become unresponsive, eventually returning 500 errors. The impact primarily affects the availability of the service, with no direct impact on confidentiality or integrity (GitHub Advisory, Debian Advisory).

The vulnerability has been fixed in version 2.4.15.2 and later releases. Organizations are strongly advised to upgrade their mod_auth_openidc installations to the patched version. The fix includes proper validation of the cookie chunk count to prevent DoS attacks (GitHub Commit, Red Hat Advisory).