Fedora has issued an advisory on October 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/ The issues are fixed upstream in 3.2.2 and 3.3.3 (they updated to 3.3.4). They also updated apache-mod_security to 2.9.6 as part of this update: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PD56EAYNGB6E6QQH62LAYCONOP6OH5DZ/ which is required to fully fix CVE-2022-39956 (and has other security fixes): https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ which says that versions back to 3.0.x are affected, though it may just not be addressing the ancient version we have. Regardless, they should be updated.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 3.2.3 and 3.3.4
This SRPM has been untouched for years, but guillomovitch is the registered maintainer, so assigning to you.
Assignee: bugsquad => guillomovitch
Fedora has issued an advisory today (October 24): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/ Based on the upstream advisory, this appears to also be for CRS: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ The issue is fixed upstream in 3.1.2, 3.2.1 and 3.3.2.
Summary: apache-mod_security-crs possible new security issues CVE-2022-3995[5-8] => apache-mod_security-crs possible new security issues CVE-2021-35368 and CVE-2022-3995[5-8]
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=31457
Debian-LTS has issued an advisory for this on January 30: https://www.debian.org/lts/security/2023/dla-3293
Summary: apache-mod_security-crs possible new security issues CVE-2021-35368 and CVE-2022-3995[5-8] => apache-mod_security-crs possible new security issues CVE-2018-16384, CVE-2020-22669, CVE-2021-35368 and CVE-2022-3995[5-8]
Suggested advisory: ======================== The updated package fixes security vulnerabilities: A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. (CVE-2018-16384) Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications. (CVE-2020-22669) OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname. (CVE-2021-35368) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. (CVE-2022-39955) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. (CVE-2022-39956) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. (CVE-2022-39957) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. (CVE-2022-39958) References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/ https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/ https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ https://www.debian.org/lts/security/2023/dla-3293 ======================== Updated package in core/updates_testing: ======================== apache-mod_security-crs-3.3.5-1.mga9 from SRPM: apache-mod_security-crs-3.3.5-1.mga9.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroStatus comment: Fixed upstream in 3.2.3 and 3.3.4 => (none)CVE: (none) => CVE-2018-16384, CVE-2020-22669, CVE-2021-35368, CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958Assignee: guillomovitch => qa-bugsWhiteboard: MGA8TOO => (none)Version: Cauldron => 9
Keywords: (none) => advisory
CC: (none) => andrewsfarm
Not previous round of this package VM mageia 9 x86_64 Test install current version, update to testing version and remove LC_ALL=C urpmi apache-mod_security-crs To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") apache-mod_security 2.9.7 1.mga9 x86_64 apache-mod_security-crs 2.2.9 6.mga9 noarch lib64apr-util1_0 1.6.3 1.mga9 x86_64 lib64apr1_0 1.7.2 1.mga9 x86_64 mlogc 2.9.7 1.mga9 x86_64 webserver-base 2.0 16.mga9 noarch (medium "Core Updates") apache 2.4.58 1.mga9 x86_64 6.2MB of additional disk space will be used. 1.8MB of packages will be retrieved. Proceed with the installation of the 7 packages? (Y/n) y https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/apache-mod_security-crs-2.2.9-6.mga9.noarch.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/apache-mod_security-2.9.7-1.mga9.x86_64.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/mlogc-2.9.7-1.mga9.x86_64.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/lib64apr1_0-1.7.2-1.mga9.x86_64.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/lib64apr-util1_0-1.6.3-1.mga9.x86_64.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/webserver-base-2.0-16.mga9.noarch.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/updates/apache-2.4.58-1.mga9.x86_64.rpm installing apache-2.4.58-1.mga9.x86_64.rpm mlogc-2.9.7-1.mga9.x86_64.rpm lib64apr1_0-1.7.2-1.mga9.x86_64.rpm lib64apr-util1_0-1.6.3-1.mga9.x86_64.rpm webserver-base-2.0-16.mga9.noarch.rpm apache-mod_security-crs-2.2.9-6.mga9.noarch.rpm apache-mod_security-2.9.7-1.mga9.x86_64.rpm from /var/cache/urpmi/rpms Preparing... ########################################################################################### 1/7: lib64apr1_0 ########################################################################################### 2/7: lib64apr-util1_0 ########################################################################################### 3/7: mlogc warning: group apache does not exist - using root warning: group apache does not exist - using root ########################################################################################### 4/7: webserver-base ########################################################################################### 5/7: apache ########################################################################################### 6/7: apache-mod_security-crs ########################################################################################### 7/7: apache-mod_security ########################################################################################### LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release" is up-to-date medium "Core Updates" is up-to-date medium "Nonfree Release" is up-to-date medium "Nonfree Updates" is up-to-date medium "Tainted Release" is up-to-date medium "Tainted Updates" is up-to-date installing apache-mod_security-crs-3.3.5-1.mga9.noarch.rpm from //home/qateam/qa-testing/x86_64 Preparing... ########################################################################################### 1/1: apache-mod_security-crs ########################################################################################### 1/1: removing apache-mod_security-crs-2.2.9-6.mga9.noarch ########################################################################################### LC_ALL=C urpme $(rpm -qa|grep apache-mod_security-crs) removing apache-mod_security-crs-3.3.5-1.mga9.noarch removing package apache-mod_security-crs-3.3.5-1.mga9.noarch 1/1: removing apache-mod_security-crs-3.3.5-1.mga9.noarch ########################################################################################### writing /var/lib/rpm/installed-through-deps.list The following packages: apache-2.4.58-1.mga9.x86_64 apache-mod_security-2.9.7-1.mga9.x86_64 lib64apr-util1_0-1.6.3-1.mga9.x86_64 lib64apr1_0-1.7.2-1.mga9.x86_64 mlogc-2.9.7-1.mga9.x86_64 webserver-base-2.0-16.mga9.noarch are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans" LC_ALL=C urpme --auto-orphans --auto removing apache-2.4.58-1.mga9.x86_64 apache-mod_security-2.9.7-1.mga9.x86_64 lib64apr-util1_0-1.6.3-1.mga9.x86_64 lib64apr1_0-1.7.2-1.mga9.x86_64 mlogc-2.9.7-1.mga9.x86_64 webserver-base-2.0-16.mga9.noarch removing package apache-mod_security-1:2.9.7-1.mga9.x86_64 1/6: removing apache-mod_security-1:2.9.7-1.mga9.x86_64 ########################################################################################### removing package apache-2.4.58-1.mga9.x86_64 2/6: removing apache-2.4.58-1.mga9.x86_64 ########################################################################################### removing package lib64apr-util1_0-1.6.3-1.mga9.x86_64 3/6: removing lib64apr-util1_0-1.6.3-1.mga9.x86_64 ########################################################################################### removing package mlogc-1:2.9.7-1.mga9.x86_64 4/6: removing mlogc-1:2.9.7-1.mga9.x86_64 ########################################################################################### removing package webserver-base-2.0-16.mga9.noarch 5/6: removing webserver-base-2.0-16.mga9.noarch ########################################################################################### removing package lib64apr1_0-1:1.7.2-1.mga9.x86_64 6/6: removing lib64apr1_0-1:1.7.2-1.mga9.x86_64 ###########################################################################################
Whiteboard: (none) => MGA9-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0070.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED