[CPANEL-27532] /scripts/modsec_vendor update failed

jndawson

May 27, 2019 14:50

All of our servers are reporting identical update failures:

The cPanel & WHM update process failed for the following reason:

Maintenance ended; however, it did not exit cleanly (256). The following events were logged: "scripts/modsec_vendor". Review the update logs to determine why the update failed.

Update log preview:

...
...
[2019-05-27 02:46:00 -0700] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 6160) reported error number 1 when it ended.

Running /scripts/modsec_vendor update --auto:

[ root@cp1 ~># /usr/local/cpanel/scripts/modsec_vendor update --auto
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor "configserver" is already up to date.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
info [modsec_vendor] The vendor "OWASP3" is already up to date.

There don't seem to be any actual problems. Is this a known issue that is getting addressed?

Comments

30 comments

TDP

May 28, 2019 00:25
I too am having a very similar issue since the 78.0.24 update. I am using the COMODO LiteSpeed rules. Below is the output from the last update log. The cPanel & WHM update process failed for the following reason: Maintenance ended; however, it did not exit cleanly (256). The following events were logged: "scripts/modsec_vendor". Review the update logs to determine why the update failed. Update log preview: ... ... [2019-05-27 03:29:11 -0400] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 34159) reported error number 1 when it +ended.
Sometimes when I run /usr/local/cpanel/scripts/modsec_vendor update --auto it fails to retrieve the rules, but after running it a second, or third time it completes without error. This doesn't happen every time though, sometimes running it once manually it completes without error. My server is running a fully up to date installation of CloudLinux 7.6, and cPanel/WHM 78.0.24.
0
Metro2

May 28, 2019 16:44
I found this thread because I just noticed same happened to me this morning (CloudLinux 6.10, WHM 78.0.24) [2019-05-28 01:01:34 -0400] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 2805294) reported error number 1 when it ended.
0
cPanelLauren

May 30, 2019 20:12
Can you tell me which modsecurity vendors you're using? I'd like to see if there's a common thread.
0
Metro2

May 30, 2019 21:39
Can you tell me which modsecurity vendors you're using? I'd like to see if there's a common thread.

ConfigServer 1/1 OWASP 22/22 However, the issue has not occurred since cPanel's upcp cron at 1:00am EST Tuesday May 28, which ran fine 1am May 29 and 1am May 30. I might be way off-base, but it almost seems to have coincided with the fact that it was while I was still running WHM 78 while WHM 80 was showing as available in the upper-right of WHM but was not automatically updating to 80 for a couple days, around same time some of us were having the yum update problem in this (possibly related / possibly not) other thread - I hope maybe some of that helps either confirm or dispel some suspicions.
0
jndawson

June 02, 2019 19:46
Can you tell me which modsecurity vendors you're using? I'd like to see if there's a common thread.

As noted previously: info [modsec_vendor] The vendor "configserver" is already up to date. info [modsec_vendor] The vendor "OWASP3" is already up to date.
The error hadn't repeated for several update cycles, but we got the same error on last night's updates to v.80.0.12.
0
cPanelLauren

June 03, 2019 18:41
You're both running the 3rd Party ConfigServer Modsecurity vendor, does the issue persist with this vendor removed?
0
jndawson

June 03, 2019 20:01
You're both running the 3rd Party ConfigServer Modsecurity vendor, does the issue persist with this vendor removed?

We're running the same setup on all our servers. We aren't getting the update error on everything every time, and it seems random. The mod_sec rules are up-to-date, so the update error seems anomalous.
0
Metro2

June 06, 2019 06:22
You're both running the 3rd Party ConfigServer Modsecurity vendor, does the issue persist with this vendor removed?

In my case, I've been running the 1 ConfigServer Modsec rule for years, and only encountered this one - on May 28th at 1:00am EST during nightly auto upcp, when cPanel releaed update from 78 to 80. Never occurred before, hasn't occurred since, and I keep all servers updated to "release" tier nightly.
0
sparek-3

June 07, 2019 14:52
Does cPanel manage the OWASP modsecurity ruleset for cPanel? Or is that managed by someone else. The yaml file appears to be hosted on cPanel
0
cPanelLauren

June 07, 2019 15:14
It's also possible there have been intermittent connection issues with the servers hosting the rules, unfortunately, this isn't something we'd track.
0
fuzzylogic

June 07, 2019 23:00
Good spotting. This ruleset would not update for servers with Modsecurity 2.9.3, or if you deleted the ruleset it would not reinstall if you tried. Would only need copy and paste of entry for 2.9.2 then change to 2.9.3. This ruleset does not change very often so its not urgent, but better to add this sooner rather than later.
0
sparek-3

June 07, 2019 23:07
Yea... the fact that this hasn't been spotted is a bit concerning. Unless maybe I'm using the wrong OWASP vendor? Maybe
0
fuzzylogic

June 07, 2019 23:41
There is an unresolved recent active thread with some admins noticing Modsec ruleset update failures, you may have discovered the reason.
0
fuzzylogic

June 07, 2019 23:50
Possible cause may be no entry in...
0
Infopro

June 08, 2019 00:47
Yea... the fact that this hasn't been spotted is a bit concerning. Unless maybe I'm using the wrong OWASP vendor? Maybe It has a link to this file:
0
sparek-3

June 08, 2019 03:13
So... I guess if you installed OWASP ... whatever version that is, non-3.0 ... then you are SOL if you don't find that thread? Why are there two different OWASP sets? Is OWASP non-3.0 not being updated any longer?
0
fuzzylogic

June 08, 2019 03:42
OK I see whats happened. Sparak-3 is referencing the older version of the cPanel curated OWASP ruleset (and its .yaml file) The newer version OWASP3 has version 2.9.3 of Modsecurity (and newer versions) in its .yaml file. The difference is... OWASP completely renumbered all the rules between these ruleset versions. The changeover is quick and easy, the pain may come when you get false positives from rules that you have DisabledbyID that become active again when they have a new ID. That was why both versions were available for a period of time.
0
sparek-3

June 08, 2019 04:53
Yea, I'd say that's definitely it. But I suppose my question is, when was the non 3.0 OWASP ruleset deprecated? Was there a notice about this? I know I'm being a bit facetious in my posts - but honestly I may have missed this notice. But I really wasn't aware that the non-3.0 OWASP ruleset was deprecated, or even if it is. I will admit, we only have a handful of servers that are using the OWASP ruleset, so maybe that's why I overlooked it. I don't really stay that in tuned with it. But it just seems like there's something amiss that the non 3.0 OWASP ruleset is still there... but not getting ModSecurity 2.9.3 support? Maybe the non-3.0 OWASP ruleset should be taken down? Since... apparently ModSecurity 2.9.3 is THE version of modsecurity now.
0
kamaok

June 08, 2019 17:40
Hello guys! Could you please help me with the same issue regarding update owasp? 2019-06-07 23:40:11 +0100] - Processing command `/usr/local/cpanel/scripts/modsec_vendor update --auto` [2019-06-07 23:40:12 +0100] [/usr/local/cpanel/scripts/modsec_vendor] The system failed to update the vendor from the URL ": The vendor metadata does not contain an entry for your version of ModSecurity, "2.9.3". The only versions of ModSecurity this rule set supports are "2.8.0", "2.9.0", and "2.9.2". [2019-06-07 23:40:12 +0100] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 30132) reported error number 1 when it ended.
What should I do to manage with it? Is it enough only to disable/delete owasp and install and enable owasp3? # /scripts/modsec_vendor list [OWASP3] OWASP ModSecurity Core Rule Set V3.0 (not installed) cpanel_provided 1 description SpiderLabs OWASP V3 curated ModSecurity rule set installed 0 installed_from OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation [OWASP] OWASP ModSecurity Core Rule Set configs (22) cpanel_provided 1 description SpiderLabs OWASP curated ModSecurity rule set enabled 1 in_use 22 inst_dist OWASP_1501094486 installed 1 installed_from supported_versions (3) update 1 vendor_id OWASP vendor_url
OWASP ModSecurity CRS - cPanel Knowledge Base - cPanel Documentation Thanks in advance!
0
kamaok

June 09, 2019 09:26
I have installed and enable auto update owasp3 and delete owasp Updating owasp3 works properly Thanks!
0
cPanelLauren

June 10, 2019 19:49
Hi guys, Thanks in part to your findings with this we have an internal case open for this CPANEL-27532 - ModSecurity rule download logic needs to support fallbacks to default rulesets and we'll also be updating documentation. Right now the workaround for this is as you found - switch to OWASP3 but we're working on a fix for this and we'll update here when the issue is resolved. Thanks!
0
gschaefer

June 12, 2019 02:03
Yes i have been experiencing the exactly same problem for the last few weeks. Am using WHM/cpanel v80.0.14
0
gschaefer

June 12, 2019 23:44
I have installed and enable auto update owasp3 and delete owasp Updating owasp3 works properly Thanks!

Could you please provide the steps to do this, thanks.
0
kamaok

June 15, 2019 16:08
Could you please provide the steps to do this, thanks.

1.Disable OWASP ModSecurity Core Rule Set and Install OWASP ModSecurity Core Rule Set v3.0 WHM->Security Center->Modsecurity Vendors-> OWASP ModSecurity Core Rule Set " Disable OWASP ModSecurity Core Rule Set v3.0 " Install 2.Enable rule set for OWASP ModSecurity Core Rule Set v3.0 WHM->Security Center->Modsecurity Vendors-> OWASP ModSecurity Core Rule Set v3.0 -> Edit->Enable all(rules) 3. Enable OWASP ModSecurity Core Rule Set v3.0 and enable update fot this modsec vendor WHM->Security Center->Modsecurity Vendors-> OWASP ModSecurity Core Rule Set v3.0 "Enable-On, Updates-On 4.Check you current status modsec vendors It may something like it # /scripts/modsec_vendor list [OWASP] OWASP ModSecurity Core Rule Set ".. enabled 0 ".. [OWASP3] OWASP ModSecurity Core Rule Set V3.0 "". enabled 1 ".. Then you can delete [OWASP] OWASP ModSecurity Core Rule Set After try to update rule set for [OWASP3] OWASP ModSecurity Core Rule Set V3.0 via command # /usr/local/cpanel/scripts/modsec_vendor update --auto
0
jndawson

June 17, 2019 23:26
I'm the OP and we updated our OWASP rule sets to 3.0 over a year ago, so updating is not an option. On the other hand, we haven't gotten the error in quite some time, so whatever was causing it, it's been corrected somehow. Maybe.
0
Cloud9

April 17, 2021 09:41
I think this may be similar to above problems, just started getting this error regarding modes and Comodo ruleset [2021-04-17 03:00:22 +0100] - Processing command `/usr/l[/usr/local/cpanel/scripts/modsec_vendor] The system failed to update the vendor from the URL "Free ModSecurity Rules from Comodo: The vendor metadata does not contain an entry for your version of ModSecurity, "2.9.3". The only versions of ModSecurity this rule set supports are "". [2021-04-17 03:00:27 +0100] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 2164) reported error number 1 when it ended. [2021-04-17 03:00:27 +0100] The Administrator will be notified to review this output when this script completes [2021-04-17 03:00:27 +0100] - Finished command `/usr/local/cpanel/scripts/modsec_vendor update --auto` in 4.658 seconds [2021-04-17 03:00:27 +0100] 95% complete
0
Cloud9

April 19, 2021 07:14
Looks like its an issue cPanel are looking into......
0
cPRex Jurassic Moderator

April 19, 2021 16:29
I'm glad you were able to find more details in our support pages!
0
fuzzylogic

April 21, 2021 06:27
@Cloud9 During the 3 days you had problems the uri... waf.comodo.com/doc/meta_comodo_litespeed.yaml and waf.comodo.com/doc/meta_comodo_apache.yaml have been redirecting to... waf.comodo.com/user This caused the issue you were seeing. The 2 .yaml files are now publicly accessible again, so this issue show be resolved if you try to update the rules again.
0
Todd23

May 11, 2022 15:43
This is 2022 and the issue is still happening even with OWASP3 and it just started with cpanel v102.0.12 now up to 102.0.15 [2022-05-11 00:10:57 -0400] E [/usr/local/cpanel/scripts/modsec_vendor] The "/usr/local/cpanel/scripts/modsec_vendor update --auto" command (process 5771) reported error number 1 when it ended. However once you update ConfigServer ModSecurity Control the issue should resolve itself.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?