MGASA-2024-0070 - Updated apache-mod_security-crs packages fix security vulnerabilities

Publication date: 18 Mar 2024
URL: https://advisories.mageia.org/MGASA-2024-0070.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2018-16384,
     CVE-2020-22669,
     CVE-2021-35368,
     CVE-2022-39955,
     CVE-2022-39956,
     CVE-2022-39957,
     CVE-2022-39958

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core
Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a
is a special function name (such as "if") and b is the SQL statement to
be executed. (CVE-2018-16384)
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a
SQL injection bypass vulnerability. Attackers can use the comment
characters and variable assignments in the SQL syntax to bypass
Modsecurity WAF protection and implement SQL injection attacks on Web
applications. (CVE-2020-22669)
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1,
and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a
trailing pathname. (CVE-2021-35368)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule
set bypass by submitting a specially crafted HTTP Content-Type header
field that indicates multiple character encoding schemes. A vulnerable
back-end can potentially be exploited by declaring multiple Content-Type
"charset" names and therefore bypassing the configurable CRS
Content-Type header "charset" allow list. An encoded payload can bypass
CRS detection this way and may then be decoded by the backend.
(CVE-2022-39955)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule
set bypass for HTTP multipart requests by submitting a payload that uses
a character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be
decoded and inspected by the web application firewall engine and the
rule set. The multipart payload will therefore bypass detection. A
vulnerable backend that supports these encoding schemes can potentially
be exploited. (CVE-2022-39956)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass. A client can issue an HTTP Accept header field containing an
optional "charset" parameter in order to receive the response in an
encoded form. Depending on the "charset", this response can not be
decoded by the web application firewall. A restricted resource, access
to which would ordinarily be detected, may therefore bypass detection.
(CVE-2022-39957)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass to sequentially exfiltrate small and undetectable sections of
data by repeatedly submitting an HTTP Range header field with a small
byte range. A restricted resource, access to which would ordinarily be
detected, may be exfiltrated from the backend, despite being protected
by a web application firewall that uses CRS. Short subsections of a
restricted resource may bypass pattern matching techniques and allow
undetected access. (CVE-2022-39958)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30977
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/
- https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
- https://www.debian.org/lts/security/2023/dla-3293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958

SRPMS:
- 9/core/apache-mod_security-crs-3.3.5-1.mga9

Mageia 2024-0070: apache-mod_security-crs security update

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as ...

Summary

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a is a special function name (such as "if") and b is the SQL statement to be executed. (CVE-2018-16384) Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a SQL injection bypass vulnerability. Attackers can use the comment characters and variable assignments in the SQL syntax to bypass Modsecurity WAF protection and implement SQL injection attacks on Web applications. (CVE-2020-22669) OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname. (CVE-2021-35368) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass by submitting a specially crafted HTTP Content-Type header field that indicates multiple character encoding schemes. A vulnerable back-end can potentially be exploited by declaring multiple Content-Type "charset" names and therefore bypassing the configurable CRS Content-Type header "charset" allow list. An encoded payload can bypass CRS detection this way and may then be decoded by the backend. (CVE-2022-39955) The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. (CVE-2022-39956) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass. A client can issue an HTTP Accept header field containing an optional "charset" parameter in order to receive the response in an encoded form. Depending on the "charset", this response can not be decoded by the web application firewall. A restricted resource, access to which would ordinarily be detected, may therefore bypass detection. (CVE-2022-39957) The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. (CVE-2022-39958)

References

- https://bugs.mageia.org/show_bug.cgi?id=30977

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/

- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/

- https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/

- https://www.debian.org/lts/security/2023/dla-3293

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958

Resolution

MGASA-2024-0070 - Updated apache-mod_security-crs packages fix security vulnerabilities

SRPMS

- 9/core/apache-mod_security-crs-3.3.5-1.mga9

Severity
Publication date: 18 Mar 2024
URL: https://advisories.mageia.org/MGASA-2024-0070.html
Type: security
CVE: CVE-2018-16384, CVE-2020-22669, CVE-2021-35368, CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved