Headline
Gentoo Linux Security Advisory 202305-25
Gentoo Linux Security Advisory 202305-25 - Multiple vulnerabilities have been discovered in ModSecurity Core Rule Set, the worst of which could result in bypassing the WAF. Versions greater than or equal to 3.3.4 are affected.
Gentoo Linux Security Advisory GLSA 202305-25
https://security.gentoo.org/
Severity: Low
Title: OWASP ModSecurity Core Rule Set: Multiple Vulnerabilities
Date: May 21, 2023
Bugs: #822003, #872077
ID: 202305-25
Synopsis
Multiple vulnerabilities have been discovered in ModSecurity Core Rule
Set, the worst of which could result in bypassing the WAF.
Background
Modsecurity Core Rule Set is the OWASP ModSecurity Core Rule Set.
Affected packages
Package Vulnerable Unaffected
www-apache/modsecurity-crs < 3.3.4 >= 3.3.4
Description
Multiple vulnerabilities have been discovered in OWASP ModSecurity Core
Rule Set. Please review the CVE identifiers referenced below for
details.
Impact
Please review the referenced CVE identifiers for details.
Workaround
There is no known workaround at this time.
Resolution
All OWASP ModSecurity Core Rule Set users should upgrade to the latest
version:
emerge --sync
emerge --ask --oneshot --verbose “>=www-apache/modsecurity-crs-3.3.4”
References
[ 1 ] CVE-2021-35368
https://nvd.nist.gov/vuln/detail/CVE-2021-35368
[ 2 ] CVE-2022-39955
https://nvd.nist.gov/vuln/detail/CVE-2022-39955
[ 3 ] CVE-2022-39956
https://nvd.nist.gov/vuln/detail/CVE-2022-39956
[ 4 ] CVE-2022-39957
https://nvd.nist.gov/vuln/detail/CVE-2022-39957
[ 5 ] CVE-2022-39958
https://nvd.nist.gov/vuln/detail/CVE-2022-39958
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/202305-25
Concerns?
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
Copyright 2023 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
https://creativecommons.org/licenses/by-sa/2.5
Related news
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.