Skip to main content

Modsecurity 2.9.6 [Fix Security]

Comments

57 comments

  • ciao70
    This requires Modsecurity 2.9.6 CVE-2022-39956 " Content-Type or Content-Transfer-Encoding MIME header fields abuse The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections. This vulnerability was discovered and reported by
    0
  • cPRex Jurassic Moderator
    Hey there! Our team has explored the option of upgrading from 2.9.6 but currently that is on hold because Comodo is one of the most popular rulesets in use, but they don't have a set of rules for 2.9.4, 2.9.5, or 2.9.6. If we did perform that update, it would break the functionality for all the users that are currently using that ruleset. Once we do release that update it would show up in the EasyApache changelogs at EasyApache 4 Change Log 2022 | cPanel & WHM Documentation so I'd keep an eye on that area for updates.
    0
  • sparek-3
    The Comodo WAF project is still alive? There hasn't been an update to it in years.
    0
  • cPRex Jurassic Moderator
    Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.
    0
  • ciao70
    Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.

    Hi cPRex, Modsecurity 2.9.6 it is also a security update, so anyone using a version earlier than 2.9.6 is vulnerable The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956 v2.9.6/You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.
    0
  • cPRex Jurassic Moderator
    I've reached out to our webserver team to see if I can get more details and I'll post an update once I hear back.
    0
  • ciao70
    I hope that we can make sure that we can also manually update to 2.9.6 This way Comodo users can continue to use modsecurity 2.9.3
    0
  • ciao70
    @cPRex Obviously in addition to Modsecurity 2.9.6 you also need the possibility to update owasp crs to 3.3.4 Now is ea-modsec2-rules-owasp-crs-3.3.2-4.7.1.cpanel.x86_64
    0
  • cPRex Jurassic Moderator
    I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one.
    0
  • ciao70
    Hi cPrex, Yes we know Q: Why is Trustwave ending support for ModSecurity? A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project. Right now we urgently need to update Modsecurity to 2.9.6 and OWASP CRS to 3.3.4 Thanks
    0
  • ciao70
    I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one.

    Hi cPRex, You have news? Thanks
    0
  • cPRex Jurassic Moderator
    I havent heard anything yet from the team.
    0
  • ciao70
    Ok I am waiting
    0
  • ciao70
    I havent heard anything yet from the team.

    Hi cPRex, You have news Thanks
    0
  • cPRex Jurassic Moderator
    I do see our team is doing internal testing with this update, but I don't have anything official to report. I'll be sure to post something once I have an update to share.
    0
  • tyuuu
    i check my easyapache,it show 2.9.3-18.el8.cloudlinux ,is it secure ?
    0
  • cPRex Jurassic Moderator
    @tyuuu - that is the correct version at this time. @ciao70 - the task has been assigned to a development team, but I don't have any type of ETA on when the version update will happen.
    0
  • tyuuu
    Hi, is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ?
    0
  • cPRex Jurassic Moderator
    Since there isn't a way to update just yet, it's fine to keep 2.9.3. Our team is working on the update now and I'll be sure to post once there are more details to share.
    0
  • ciao70
    Hi, is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ?

    Hi, Owasp 3.2.3 and 3.3.4 needs Modsecurity 2.9.6 to work without problems.
    0
  • tyuuu
    Hi, are following correct ? 1. that is OWASP CRS's security issue,not modsecurity ? 2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue, and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ? 3. no matter 3.3.3 or 3.3.4, all need ModSecurity 2.9.6 to apply, but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now, that is why we can not apply CRS 3.3.4,correct ?
    0
  • cPRex Jurassic Moderator
    That sounds correct to me! I'll be sure to keep you guys updated.
    0
  • SimpleTechGuy
    A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project.

    Does anybody know if cpanel has plans to keep supporting ModSecurity after Trustwave fully transitions out?
    0
  • cPRex Jurassic Moderator
    I'm not sure that has been decided yet.
    0
  • ciao70
    Hi, are following correct ? 1. that is OWASP CRS's security issue,not modsecurity ? 2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue, and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ? 3. no matter 3.3.3 or 3.3.4, all need ModSecurity 2.9.6 to apply, but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now, that is why we can not apply CRS 3.3.4,correct ?

    Hi, 1. The security problem is mainly on OWASP, Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8. in any case it also affects Modsecurity < 2.9.6 CVE-2022-39956 Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections. #2799 - @martinhsv]
  • Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue @terjanq,
  • 0
  • ciao70
    Hi cPRex, Do you have any good news? :) Thanks
    0
  • cPRex Jurassic Moderator
    No, but I also don't have any bad news!
    0
  • ciao70
    Ok, we are waiting, hopefully soon :)
    0
  • ciao70
    Hi cPRex, Isn't it that the developers have forgotten? :)
    0

Please sign in to leave a comment.