CVE-2022-39955: The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. CVE-2022-39956 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/): The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8). CVE-2022-39957 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/): The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. CVE-2022-39958 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/): The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher. Needs bump to 3.3.3.
Hi All, It looks like 3.3.3 has been superseded by 3.3.4 as well. These new versions also have a minimum requirement of 2.9.6 for www-apache/mod_security and 3.0.8 for dev-libs/modsecurity I'll attach my build files for: modsecurity-crs-3.3.4.ebuild modsecurity-3.0.8.ebuild mod_security-2.9.6.ebuild which I am currently using to manage this CVE. G.
Created attachment 813643 [details] www-apache/modsecurity-crs/modsecurity-crs-3.3.4.ebuild
Created attachment 813646 [details] www-apache/mod_security/mod_security-2.9.6.ebuild
Created attachment 813649 [details] dev-libs/modsecurity/modsecurity-3.0.8.ebuild
(In reply to Graham E from comment #4) > Created attachment 813649 [details] > dev-libs/modsecurity/modsecurity-3.0.8.ebuild Hi, could you open a PR for https://github.com/gentoo/gentoo?
Hi. Pull request hopefully raised as #27444 G.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d20bf8a1839f65630232bf3a43bbae464d94d3d4 commit d20bf8a1839f65630232bf3a43bbae464d94d3d4 Author: Tomáš Mózes <hydrapolic@gmail.com> AuthorDate: 2022-10-22 04:05:11 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2022-11-21 09:21:05 +0000 www-apache/modsecurity-crs: add 3.3.4 Bug: https://bugs.gentoo.org/872077 Closes: https://bugs.gentoo.org/869737 Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com> Closes: https://github.com/gentoo/gentoo/pull/27886 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apache/modsecurity-crs/Manifest | 1 + www-apache/modsecurity-crs/metadata.xml | 11 +++--- .../modsecurity-crs/modsecurity-crs-3.3.4.ebuild | 42 ++++++++++++++++++++++ 3 files changed, 50 insertions(+), 4 deletions(-)
Thanks! Please stabilize when ready
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6854b2428ca58558edd747e8f2d30aaac1d21fea commit 6854b2428ca58558edd747e8f2d30aaac1d21fea Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-12-02 06:14:33 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-12-02 06:15:17 +0000 www-apache/modsecurity-crs: drop 3.3.2 Bug: https://bugs.gentoo.org/872077 Signed-off-by: John Helmert III <ajak@gentoo.org> www-apache/modsecurity-crs/Manifest | 1 - .../modsecurity-crs/modsecurity-crs-3.3.2.ebuild | 33 ---------------------- 2 files changed, 34 deletions(-)
GLSA request filed
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=e18d39bd8feec34396dd5f946e2b6a0c3031adff commit e18d39bd8feec34396dd5f946e2b6a0c3031adff Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-05-21 19:43:55 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2023-05-21 19:51:33 +0000 [ GLSA 202305-25 ] OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/822003 Bug: https://bugs.gentoo.org/872077 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202305-25.xml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+)
GLSA released, all done!