891777 – (CVE-2022-48279, CVE-2023-24021, CVE-2023-28882) dev-libs/modsecurity: multiple vulnerabilities

Bug 891777 (CVE-2022-48279, CVE-2023-24021, CVE-2023-28882) - dev-libs/modsecurity: multiple vulnerabilities

Summary: dev-libs/modsecurity: multiple vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2022-48279, CVE-2023-24021, CVE-2023-28882

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/SpiderLabs/ModSecu...
Whiteboard:	B3 [??]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2023-01-22 23:15 UTC by John Helmert III
Modified:	2023-04-29 16:41 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958 https://github.com/gentoo/gentoo/pull/29267
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-01-22 23:15:12 UTC

CVE-2023-24021 (https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7):

In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the complete content. This can lead to a Web Application Firewall bypass.

This particular fix is in 2.9.7, but it 3.x affected? According to
URL, "It's a bit unfortunate it comes out of the blue, since we could
have written a better advisory than the one now listed at
NIST. https://nvd.nist.gov/vuln/detail/CVE-2023-24021 Namely because
the problem is bigger than it seems.

What I do not like about the situation is that the Changelog makes it
look rather innocent, when it can be abused for a buffer
overflow. This gives attackers taking a deeper look an advantage over
users who read the changelog and think it's no big deal."

Comment 1 John Helmert III archtester

2023-01-22 23:41:40 UTC

CVE-2022-48279:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart requests were incorrectly parsed and could bypass the Web Application Firewall. NOTE: this is related to CVE-2022-39956 but can be considered independent changes to the ModSecurity (C language) codebase.

This is fixed in 2.9.6 and 3.0.8.

Comment 2 Larry the Git Cow gentoo-dev

2023-02-05 09:12:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff270e81a87d860d557a52ee763ad810f93e586a

commit ff270e81a87d860d557a52ee763ad810f93e586a
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2023-01-25 15:27:47 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-02-05 09:12:51 +0000

    www-apache/mod_security: add 2.9.7
    
    Bug: https://bugs.gentoo.org/891777
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/29267
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apache/mod_security/Manifest                  |   1 +
 www-apache/mod_security/metadata.xml              |   4 +
 www-apache/mod_security/mod_security-2.9.7.ebuild | 128 ++++++++++++++++++++++
 3 files changed, 133 insertions(+)

Comment 3 John Helmert III archtester

2023-02-18 23:42:03 UTC

Hm. Apparently there's two packages based on the SpiderLabs upstream, dev-libs/modsecurity and www-apache/mod_security. Are they the same thing? Are they both affected by these?

There's also www-apache/modsecurity-crs, is that affected too?

Comment 4 John Helmert III archtester

2023-04-29 16:41:58 UTC

CVE-2023-28882 (https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/):

Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.