[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question about modsecurity-crs package upgrade

Hi, Paul.

On Mon, Sep 12, 2022 at 10:21:12PM +0200, Paul Gevers wrote:
> Hi,
> 
> Sorry for the delay in responding. This list is very high volume (it
> receives bug reports too) and plain messages sometimes slip through.
> 
> On 02-09-2022 14:35, Ervin Hegedüs wrote:
> > *We need to know if we could add this patch to the existing packages
> > (3.3 in both Debian 10 and Debian 11) without CVE or not.*
> 
> Well, Debian 10 got it's last official point release last Saturday, so we're
> not considering that anymore. For the current stable (Debian 11), we don't
> need CVE's for updates, just a good justification of all the changes
> (assuming the justifications are in line with our stable release policy).

The reason for the update to modsecurity is a new set of rules in de
Core Rule Set that is coming out soon fixing a CVE. These (CRS) will
also get updated in stable (either through -security or a stable
upload). So we are getting modsecurity ready for them. Here's the draft
for the CRS release:
------------------------------------------------------------------------------
CVE-2022-39956 - Content-Type or Content-Transfer-Encoding MIME header fields
abuse

The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set
bypass for HTTP multipart requests by submitting a payload that uses a
character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be
decoded and inspected by the web application firewall engine and the rule set.
The multipart payload will therefore bypass detection. A vulnerable backend
that supports these encoding schemes can potentially be exploited. The legacy
CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported
versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to
3.2.2 and 3.3.3 respectively.

Important: The mitigation against these vulnerabilities depends on the
installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated
version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver / engine will refuse to start
with the following error message: "Error creating rule: Unknown variable:
MULTIPART_PART_HEADERS".
You can disable / remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from
the release in order to allow you to run the latest CRS without a fix to
CVE-2022-39956, however we advise against this workaround.

------------------------------------------------------------------------------

I'll quote that same announcement in the bug report for the upload to
release.debian.org.

Thanks,

Alberto


-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55
Reply to: