openSUSE Security Update: Security update for modsecurity ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0257-1 Rating: moderate References: #1210993 #1213702 Cross-References: CVE-2020-15598 CVE-2021-42717 CVE-2023-28882 CVE-2023-38285 CVSS scores: CVE-2020-15598 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-42717 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2021-42717 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-28882 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2023-28882 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2023-38285 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Affected Products: openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: This update for modsecurity fixes the following issues: Update to version 3.0.10: * Security impacting issue (fix boo#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-do s-vulnerability-in-four-transformations-cve-2023-38285/ * Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890 Update to version 3.0.9: * Add some member variable inits in Transaction class (possible segfault) * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list * Resolve memory leak on reload (bison-generated variable) * Support equals sign in XPath expressions * Encode two special chars in error.log output * Add JIT support for PCRE2 * Support comments in ipMatchFromFile file via '#' token * Use name package name libmaxminddb with pkg-config * Fix: FILES_TMP_CONTENT collection key should use part name * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro * During configure, do not check for pcre if pcre2 specified * Use pkg-config to find libxml2 first * Fix two rule-reload memory leak issues * Correct whitespace handling for Include directive - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, boo#1210993 Update to version 3.0.8 * Adjust parser activation rules in modsecurity.conf-recommended [#2796] * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795] * Prevent LMDB related segfault [#2755, #2761] * Fix msc_transaction_cleanup function comment typo [#2788] * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785] * Restore Unique_id to include random portion after timestamp [#2752, #2758] Update to version 3.0.7 * Support PCRE2 * Support SecRequestBodyNoFilesLimit * Add ctl:auditEngine action support * Move PCRE2 match block from member variable * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended * Fix memory leak when concurrent log includes REMOTE_USER * Fix LMDB initialization issues * Fix initcol error message wording * Tolerate other parameters after boundary in multipart C-T * Add DebugLog message for bad pattern in rx operator * Fix misuses of LMDB API * Fix duplication typo in code comment * Fix multiMatch msg, etc, population in audit log * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. * Adjust confusing variable name in setRequestBody method * Multipart names/filenames may include single quote if double-quote enclosed * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended Update to version 3.0.6 * Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717 Update to version 3.0.5 * New: Having ARGS_NAMES, variables proxied * Fix: FILES variable does not use multipart part name for key * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE * Support configurable limit on number of arguments processed * Adds support to lua 5.4 * Add support for new operator rxGlobal * Fix: Replaces put with setenv in SetEnv action * Fix: Regex key selection should not be case-sensitive * Fix: Only delete Multipart tmp files after rules have run * Fixed MatchedVar on chained rules * Fix IP address logging in Section A * Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars * Fix rule-update-target for non-regex * Fix Security Impacting Issues: * Handle URI received with uri-fragment, CVE-2020-15598 update to 3.0.4: * Fix: audit log data omitted when nolog,auditlog * Fix: ModSecurity 3.x inspectFile operator does not pass * XML: Remove error messages from stderr * Filter comment or blank line for pmFromFile operator * Additional adjustment to Cookie header parsing * Restore chained rule part H logging to be more like 2.9 behaviour * Small fixes in log messages to help debugging the file upload * Fix Cookie header parsing issues * Fix rules with nolog are logging to part H * Fix argument key-value pair parsing cases * Fix: audit log part for response body for JSON format to be E * Make sure m_rulesMessages is filled after successfull match * Fix @pm lookup for possible matches on offset zero. * Regex lookup on the key name instead of COLLECTION:key * Missing throw in Operator::instantiate * Making block action execution dependent of the SecEngine status * Making block action execution dependent of the SecEngine status * Having body limits to respect the rule engine state * Fix SecRuleUpdateTargetById does not match regular expressions * Adds missing check for runtime ctl:ruleRemoveByTag * Adds a new operator verifySVNR that checks for Austrian social security numbers. * Fix variables output in debug logs * Correct typo validade in log output * fix/minor: Error encoding hexa decimal. * Limit more log variables to 200 characters. * parser: fix parsed file names * Allow empty anchored variable * Fixed FILES_NAMES collection after the end of multipart parsing * Fixed validateByteRange parsing method * Removes a memory leak on the JSON parser * Enables LMDB on the regression tests. * Fix: Extra whitespace in some configuration directives causing error * Refactoring on Regex and SMatch classes. * Fixed buffer overflow in Utils::Md5::hexdigest() * Implemented merge() method for ConfigInt, ConfigDouble, ConfigString * Adds initially support to the drop action. * Complete merging of particular rule properties * Replaces AC_CHECK_FILE with 'test -f' * Fix inet addr handling on 64 bit big endian systems * Fix tests on FreeBSD * Changes ENV test case to read the default MODSECURTIY env var * Regression: Sets MODSECURITY env var during the tests execution * Fix setenv action to strdup key=variable * Allow 0 length JSON requests. * Fix "make dist" target to include default configuration * Replaced log locking using mutex with fcntl lock * Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES * Adds support to multiple ranges in ctl:ruleRemoveById * Rule variable interpolation broken * Make the boundary check less strict as per RFC2046 * Fix buffer size for utf8toUnicode transformation * Fix double macros bug * Override the default status code if not suitable to redirect action * parser: Fix the support for CRLF configuration files * Organizes the server logs * m_lineNumber in Rule not mapping with the correct line number in file * Using shared_ptr instead of unique_ptr on rules exceptions * Changes debuglogs schema to avoid unecessary str allocation * Fix the SecUnicodeMapFile and SecUnicodeCodePage * Changes the timing to save the rule message * Fix crash in msc_rules_add_file() when using disruptive action in chain * Fix memory leak in AuditLog::init() * Fix RulesProperties::appendRules() * Fix RULE lookup in chained rules * @ipMatch "Could not add entry" on slash/32 notation in 2.9.0 * Using values after transformation at MATCHED_VARS * Adds support to UpdateActionById. * Add correct C function prototypes for msc_init and msc_create_rule_set * Allow LuaJIT 2.1 to be used * Match m_id JSON log with RuleMessage and v2 format * Adds support to setenv action. * Adds new transaction constructor that accepts the transaction id as parameter. * Adds request IDs and URIs to the debug log * Treating variables exception on load-time instead of run time. * Fix: function m.setvar in Lua scripts and add testcases * Fix SecResponseBodyAccess and ctl:requestBodyAccess directives * Fix OpenBSD build * Fix parser to support GeoLookup with MaxMind * parser: Fix simple quote setvar in the end of the line * Fix pc file * modsec_rules_check: uses the gnu `.la' instead of `.a' file * good practices: Initialize variables before use it * Fix utf-8 character encoding conversion * Adds support for ctl:requestBodyProcessor=URLENCODED * Add LUA compatibility for CentOS and try to use LuaJIT first if available * Allow LuaJIT to be used * Implement support for Lua 5.1 * Variable names must match fully, not partially. Match should be case insensitive. * Improves the performance while loading the rules * Allow empty strings to be evaluated by regex::searchAll * Adds basic pkg-config info * Fixed LMDB collection errors * Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors * Fix ip tree lookup on netmask content * Changes the behavior of the default sec actions * Refactoring on {global,ip,resources,session,tx,user} collections * Fix race condition in UniqueId::uniqueId() * Fix memory leak in error message for msc_rules_merge C APIs * Return false in SharedFiles::open() when an error happens * Use rvalue reference in ModSecurity::serverLog * Build System: Fix when multiple lines for curl version. * Checks if response body inspection is enabled before process it * Fix setvar parsing of quoted data * Adds time stamp back to the audit logs * Disables skip counter if debug log is disabled * Cosmetics: Represents amount of skipped rules without decimal * Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser * Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. * Fix memory leak in modsecurity::utils::expandEnv() * Initialize m_dtd member in ValidateDTD class as NULL * Fix broken @detectxss operator regression test case * Fix utils::string::ssplit() to handle delimiter in the end of string * Fix variable FILES_TMPNAMES * Fix memory leak in Collections * Fix lib version information while generating the .so file * Adds support for ctl:ruleRemoveByTag * Fix SecUploadDir configuration merge * Include all prerequisites for "make check" into dist archive * Fix: Reverse logic of checking output in @inspectFile * Adds support to libMaxMind * Adds capture action to detectXSS * Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator * Adds capture action to detectSQLi * Adds capture action to rbl * Adds capture action to verifyCC * Adds capture action to verifySSN * Adds capture action to verifyCPF * Prettier error messages for unsupported configurations (UX) * Add missing verify*** transformation statements to parser * Fix a set of compilation warnings * Check for disruptive action on SecDefaultAction. * Fix block-block infinite loop. * Correction remove_by_tag and remove_by_msg logic. * Fix LMDB compile error * Fix msc_who_am_i() to return pointer to a valid C string * Added some cosmetics to autoconf related code * Fix "make dist" target to include necessary headers for Lua * Fix "include /foo/*.conf" for single matched object in directory * Add missing Base64 transformation statements to parser * Fixed resource load on ip match from file * Fixed examples compilation while using disable-shared * Fixed compilation issue while xml is disabled * Having LDADD and LDFLAGS organized on Makefile.am * Checking std::deque size before use it * perf improvement: Added the concept of RunTimeString and removed all run time parser. * perf improvement: Checks debuglog level before format debug msg * perf. improvement/rx: Only compute dynamic regex in case of macro * Fix uri on the benchmark utility * disable Lua on systems with liblua5.1 Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-257=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64): libmodsecurity3-3.0.10-bp155.3.3.1 modsecurity-3.0.10-bp155.3.3.1 modsecurity-devel-3.0.10-bp155.3.3.1 - openSUSE Backports SLE-15-SP5 (aarch64_ilp32): libmodsecurity3-64bit-3.0.10-bp155.3.3.1 - openSUSE Backports SLE-15-SP5 (x86_64): libmodsecurity3-32bit-3.0.10-bp155.3.3.1 References: https://www.suse.com/security/cve/CVE-2020-15598.html https://www.suse.com/security/cve/CVE-2021-42717.html https://www.suse.com/security/cve/CVE-2023-28882.html https://www.suse.com/security/cve/CVE-2023-38285.html https://bugzilla.suse.com/1210993 https://bugzilla.suse.com/1213702