MGASA-2024-0070 - Updated apache-mod_security-crs packages fix security vulnerabilities

Publication date: 18 Mar 2024
URL: https://advisories.mageia.org/MGASA-2024-0070.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2018-16384,
     CVE-2020-22669,
     CVE-2021-35368,
     CVE-2022-39955,
     CVE-2022-39956,
     CVE-2022-39957,
     CVE-2022-39958

A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity Core
Rule Set (owasp-modsecurity-crs) through v3.1.0-rc3 via {`a`b} where a
is a special function name (such as "if") and b is the SQL statement to
be executed. (CVE-2018-16384)
Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a
SQL injection bypass vulnerability. Attackers can use the comment
characters and variable assignments in the SQL syntax to bypass
Modsecurity WAF protection and implement SQL injection attacks on Web
applications. (CVE-2020-22669)
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1,
and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a
trailing pathname. (CVE-2021-35368)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule
set bypass by submitting a specially crafted HTTP Content-Type header
field that indicates multiple character encoding schemes. A vulnerable
back-end can potentially be exploited by declaring multiple Content-Type
"charset" names and therefore bypassing the configurable CRS
Content-Type header "charset" allow list. An encoded payload can bypass
CRS detection this way and may then be decoded by the backend.
(CVE-2022-39955)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule
set bypass for HTTP multipart requests by submitting a payload that uses
a character encoding scheme via the Content-Type or the deprecated
Content-Transfer-Encoding multipart MIME header fields that will not be
decoded and inspected by the web application firewall engine and the
rule set. The multipart payload will therefore bypass detection. A
vulnerable backend that supports these encoding schemes can potentially
be exploited. (CVE-2022-39956)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass. A client can issue an HTTP Accept header field containing an
optional "charset" parameter in order to receive the response in an
encoded form. Depending on the "charset", this response can not be
decoded by the web application firewall. A restricted resource, access
to which would ordinarily be detected, may therefore bypass detection.
(CVE-2022-39957)
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body
bypass to sequentially exfiltrate small and undetectable sections of
data by repeatedly submitting an HTTP Range header field with a small
byte range. A restricted resource, access to which would ordinarily be
detected, may be exfiltrated from the backend, despite being protected
by a web application firewall that uses CRS. Short subsections of a
restricted resource may bypass pattern matching techniques and allow
undetected access. (CVE-2022-39958)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30977
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C4Q7DCCE37GT5ZBJOWP4NGUD4L3FAMDB/
- https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6MS5GMNYHFFIBWLJW7N3XAD24SLF3PFZ/
- https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
- https://www.debian.org/lts/security/2023/dla-3293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16384
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22669
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35368
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958

SRPMS:
- 9/core/apache-mod_security-crs-3.3.5-1.mga9