Modsecurity 2.9.6 [Fix Security]
-
This requires Modsecurity 2.9.6 CVE-2022-39956 " Content-Type or Content-Transfer-Encoding MIME header fields abuse The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively. Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections. This vulnerability was discovered and reported by 0 -
Hey there! Our team has explored the option of upgrading from 2.9.6 but currently that is on hold because Comodo is one of the most popular rulesets in use, but they don't have a set of rules for 2.9.4, 2.9.5, or 2.9.6. If we did perform that update, it would break the functionality for all the users that are currently using that ruleset. Once we do release that update it would show up in the EasyApache changelogs at EasyApache 4 Change Log 2022 | cPanel & WHM Documentation so I'd keep an eye on that area for updates. 0 -
Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something. 0 -
Unfortunately yes - even though it may be outdated, there are many users with this in place that we'd have to forcibly switch. I've spoken with the security team to see if I can get some more details on our plans for this and I'll post once I hear something.
Hi cPRex, Modsecurity 2.9.6 it is also a security update, so anyone using a version earlier than 2.9.6 is vulnerable The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956 v2.9.6/You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.0 -
I've reached out to our webserver team to see if I can get more details and I'll post an update once I hear back. 0 -
I hope that we can make sure that we can also manually update to 2.9.6 This way Comodo users can continue to use modsecurity 2.9.3 0 -
@cPRex Obviously in addition to Modsecurity 2.9.6 you also need the possibility to update owasp crs to 3.3.4 Now is ea-modsec2-rules-owasp-crs-3.3.2-4.7.1.cpanel.x86_64 0 -
I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one. 0 -
This is also another consideration: End of Sale and Trustwave Support for ModSecurity Web Application Firewall 0 -
Hi cPrex, Yes we know Q: Why is Trustwave ending support for ModSecurity? A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project. Right now we urgently need to update Modsecurity to 2.9.6 and OWASP CRS to 3.3.4 Thanks 0 -
I did speak with the web server team and they are looking into this to see how we want to proceed. I'll be sure to post an update once I have one.
Hi cPRex, You have news? Thanks0 -
I havent heard anything yet from the team. 0 -
Ok I am waiting 0 -
I havent heard anything yet from the team.
Hi cPRex, You have news Thanks0 -
I do see our team is doing internal testing with this update, but I don't have anything official to report. I'll be sure to post something once I have an update to share. 0 -
i check my easyapache,it show 2.9.3-18.el8.cloudlinux ,is it secure ? 0 -
@tyuuu - that is the correct version at this time. @ciao70 - the task has been assigned to a development team, but I don't have any type of ETA on when the version update will happen. 0 -
Hi, is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ? 0 -
Since there isn't a way to update just yet, it's fine to keep 2.9.3. Our team is working on the update now and I'll be sure to post once there are more details to share. 0 -
Hi, are following correct ? 1. that is OWASP CRS's security issue,not modsecurity ? 2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue, and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ? 3. no matter 3.3.3 or 3.3.4, all need ModSecurity 2.9.6 to apply, but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now, that is why we can not apply CRS 3.3.4,correct ? 0 -
That sounds correct to me! I'll be sure to keep you guys updated. 0 -
A: Trustwave decided to end our support for ModSecurity to let the open-source community continue the project.
Does anybody know if cpanel has plans to keep supporting ModSecurity after Trustwave fully transitions out?0 -
I'm not sure that has been decided yet. 0 -
Hi, are following correct ? 1. that is OWASP CRS's security issue,not modsecurity ? 2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue, and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ? 3. no matter 3.3.3 or 3.3.4, all need ModSecurity 2.9.6 to apply, but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now, that is why we can not apply CRS 3.3.4,correct ?
Hi, 1. The security problem is mainly on OWASP, Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8. in any case it also affects Modsecurity < 2.9.6 CVE-2022-39956 Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v3.0.8) or an updated version with backports of the security fixes in these versions. If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS". You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround. Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections. #2799 - @martinhsv]- Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue @terjanq,
0 -
Hi cPRex, Do you have any good news? :) Thanks 0 -
No, but I also don't have any bad news! 0 -
Ok, we are waiting, hopefully soon :) 0 -
Hi cPRex, Isn't it that the developers have forgotten? :) 0
Please sign in to leave a comment.
Comments
57 comments