Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 872077 (CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958) - <www-apache/modsecurity-crs-3.3.4: multiple vulnerabilities
Summary: <www-apache/modsecurity-crs-3.3.4: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://coreruleset.org/20220919/crs-...
Whiteboard: B4 [glsa?]
Keywords: PullRequest
Depends on: 883951
Blocks:
  Show dependency tree
 
Reported: 2022-09-20 18:46 UTC by John Helmert III
Modified: 2022-12-02 06:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
www-apache/modsecurity-crs/modsecurity-crs-3.3.4.ebuild (modsecurity-crs-3.3.4.ebuild,1.61 KB, text/plain)
2022-09-22 12:28 UTC, Graham E
no flags Details
www-apache/mod_security/mod_security-2.9.6.ebuild (mod_security-2.9.6.ebuild,2.87 KB, text/plain)
2022-09-22 12:29 UTC, Graham E
no flags Details
dev-libs/modsecurity/modsecurity-3.0.8.ebuild (modsecurity-3.0.8.ebuild,1.89 KB, text/plain)
2022-09-22 12:30 UTC, Graham E
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-20 18:46:53 UTC
CVE-2022-39955:

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

CVE-2022-39956 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/):

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

CVE-2022-39957 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/):

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively.

CVE-2022-39958 (https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/):

The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

Needs bump to 3.3.3.
Comment 1 Graham E 2022-09-22 12:26:59 UTC
Hi All,

It looks like 3.3.3 has been superseded by 3.3.4 as well. These new versions also have a minimum requirement of 2.9.6 for  www-apache/mod_security and 3.0.8 for dev-libs/modsecurity   

I'll attach my build files for:

 modsecurity-crs-3.3.4.ebuild
 modsecurity-3.0.8.ebuild
 mod_security-2.9.6.ebuild

which I am currently using to manage this CVE.  

G.
Comment 2 Graham E 2022-09-22 12:28:54 UTC
Created attachment 813643 [details]
www-apache/modsecurity-crs/modsecurity-crs-3.3.4.ebuild
Comment 3 Graham E 2022-09-22 12:29:38 UTC
Created attachment 813646 [details]
www-apache/mod_security/mod_security-2.9.6.ebuild
Comment 4 Graham E 2022-09-22 12:30:16 UTC
Created attachment 813649 [details]
dev-libs/modsecurity/modsecurity-3.0.8.ebuild
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-23 02:51:33 UTC
(In reply to Graham E from comment #4)
> Created attachment 813649 [details]
> dev-libs/modsecurity/modsecurity-3.0.8.ebuild

Hi, could you open a PR for https://github.com/gentoo/gentoo?
Comment 6 Graham E 2022-09-25 08:32:47 UTC
Hi.

Pull request hopefully raised as #27444 

G.
Comment 7 Larry the Git Cow gentoo-dev 2022-11-21 09:22:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d20bf8a1839f65630232bf3a43bbae464d94d3d4

commit d20bf8a1839f65630232bf3a43bbae464d94d3d4
Author:     Tomáš Mózes <hydrapolic@gmail.com>
AuthorDate: 2022-10-22 04:05:11 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-11-21 09:21:05 +0000

    www-apache/modsecurity-crs: add 3.3.4
    
    Bug: https://bugs.gentoo.org/872077
    Closes: https://bugs.gentoo.org/869737
    Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27886
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  1 +
 www-apache/modsecurity-crs/metadata.xml            | 11 +++---
 .../modsecurity-crs/modsecurity-crs-3.3.4.ebuild   | 42 ++++++++++++++++++++++
 3 files changed, 50 insertions(+), 4 deletions(-)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-21 16:51:02 UTC
Thanks! Please stabilize when ready
Comment 9 Larry the Git Cow gentoo-dev 2022-12-02 06:15:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6854b2428ca58558edd747e8f2d30aaac1d21fea

commit 6854b2428ca58558edd747e8f2d30aaac1d21fea
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-12-02 06:14:33 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-02 06:15:17 +0000

    www-apache/modsecurity-crs: drop 3.3.2
    
    Bug: https://bugs.gentoo.org/872077
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 www-apache/modsecurity-crs/Manifest                |  1 -
 .../modsecurity-crs/modsecurity-crs-3.3.2.ebuild   | 33 ----------------------
 2 files changed, 34 deletions(-)