SUSE 5172 Published by

A modsecurity security update has been released for SUSE Linux Enterprise 15 SP5.



openSUSE-SU-2023:0257-1: moderate: Security update for modsecurity


openSUSE Security Update: Security update for modsecurity
_______________________________

Announcement ID: openSUSE-SU-2023:0257-1
Rating: moderate
References: #1210993 #1213702
Cross-References: CVE-2020-15598 CVE-2021-42717 CVE-2023-28882
CVE-2023-38285
CVSS scores:
CVE-2020-15598 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-42717 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-42717 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-28882 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2023-28882 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE-2023-38285 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes four vulnerabilities is now available.

Description:

This update for modsecurity fixes the following issues:

Update to version 3.0.10:

* Security impacting issue (fix boo#1213702, CVE-2023-38285)

- Fix: worst-case time in implementation of four transformations
- Additional information on this issue is available at
https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-do
s-vulnerability-in-four-transformations-cve-2023-38285/

* Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
- Make MULTIPART_PART_HEADERS accessible to lua
- Fix: Lua scripts cannot read whole collection at once
- Fix: quoted Include config with wildcard
- Support isolated PCRE match limits
- Fix: meta actions not applied if multiMatch in first rule of chain
- Fix: audit log may omit tags when multiMatch
- Exclude CRLF from MULTIPART_PART_HEADER value
- Configure: use AS_ECHO_N instead echo -n
- Adjust position of memset from 2890

Update to version 3.0.9:

* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via '#' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first
* Fix two rule-reload memory leak issues
* Correct whitespace handling for Include directive

- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
in some configurations with certain inputs, boo#1210993

Update to version 3.0.8

* Adjust parser activation rules in modsecurity.conf-recommended [#2796]
* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
* Prevent LMDB related segfault [#2755, #2761]
* Fix msc_transaction_cleanup function comment typo [#2788]
* Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
* Restore Unique_id to include random portion after timestamp [#2752,
#2758]

Update to version 3.0.7

* Support PCRE2
* Support SecRequestBodyNoFilesLimit
* Add ctl:auditEngine action support
* Move PCRE2 match block from member variable
* Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
* Fix memory leak when concurrent log includes REMOTE_USER
* Fix LMDB initialization issues
* Fix initcol error message wording
* Tolerate other parameters after boundary in multipart C-T
* Add DebugLog message for bad pattern in rx operator
* Fix misuses of LMDB API
* Fix duplication typo in code comment
* Fix multiMatch msg, etc, population in audit log
* Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById,
etc.
* Adjust confusing variable name in setRequestBody method
* Multipart names/filenames may include single quote if double-quote
enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

Update to version 3.0.6

* Security issue: Support configurable limit on depth of JSON parsing,
possible DoS issue. CVE-2021-42717

Update to version 3.0.5

* New: Having ARGS_NAMES, variables proxied
* Fix: FILES variable does not use multipart part name for key
* GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
* Support configurable limit on number of arguments processed
* Adds support to lua 5.4
* Add support for new operator rxGlobal
* Fix: Replaces put with setenv in SetEnv action
* Fix: Regex key selection should not be case-sensitive
* Fix: Only delete Multipart tmp files after rules have run
* Fixed MatchedVar on chained rules
* Fix IP address logging in Section A
* Fix: rx: exit after full match (remove /g emulation); ensure capture
groups occuring after unused groups still populate TX vars
* Fix rule-update-target for non-regex
* Fix Security Impacting Issues:
* Handle URI received with uri-fragment, CVE-2020-15598

update to 3.0.4:

* Fix: audit log data omitted when nolog,auditlog
* Fix: ModSecurity 3.x inspectFile operator does not pass
* XML: Remove error messages from stderr
* Filter comment or blank line for pmFromFile operator
* Additional adjustment to Cookie header parsing
* Restore chained rule part H logging to be more like 2.9 behaviour
* Small fixes in log messages to help debugging the file upload
* Fix Cookie header parsing issues
* Fix rules with nolog are logging to part H
* Fix argument key-value pair parsing cases
* Fix: audit log part for response body for JSON format to be E
* Make sure m_rulesMessages is filled after successfull match
* Fix @pm lookup for possible matches on offset zero.
* Regex lookup on the key name instead of COLLECTION:key
* Missing throw in Operator::instantiate
* Making block action execution dependent of the SecEngine status
* Making block action execution dependent of the SecEngine status
* Having body limits to respect the rule engine state
* Fix SecRuleUpdateTargetById does not match regular expressions
* Adds missing check for runtime ctl:ruleRemoveByTag
* Adds a new operator verifySVNR that checks for Austrian social security
numbers.
* Fix variables output in debug logs
* Correct typo validade in log output
* fix/minor: Error encoding hexa decimal.
* Limit more log variables to 200 characters.
* parser: fix parsed file names
* Allow empty anchored variable
* Fixed FILES_NAMES collection after the end of multipart parsing
* Fixed validateByteRange parsing method
* Removes a memory leak on the JSON parser
* Enables LMDB on the regression tests.
* Fix: Extra whitespace in some configuration directives causing error
* Refactoring on Regex and SMatch classes.
* Fixed buffer overflow in Utils::Md5::hexdigest()
* Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
* Adds initially support to the drop action.
* Complete merging of particular rule properties
* Replaces AC_CHECK_FILE with 'test -f'
* Fix inet addr handling on 64 bit big endian systems
* Fix tests on FreeBSD
* Changes ENV test case to read the default MODSECURTIY env var
* Regression: Sets MODSECURITY env var during the tests execution
* Fix setenv action to strdup key=variable
* Allow 0 length JSON requests.
* Fix "make dist" target to include default configuration
* Replaced log locking using mutex with fcntl lock
* Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
* Adds support to multiple ranges in ctl:ruleRemoveById
* Rule variable interpolation broken
* Make the boundary check less strict as per RFC2046
* Fix buffer size for utf8toUnicode transformation
* Fix double macros bug
* Override the default status code if not suitable to redirect action
* parser: Fix the support for CRLF configuration files
* Organizes the server logs
* m_lineNumber in Rule not mapping with the correct line number in file
* Using shared_ptr instead of unique_ptr on rules exceptions
* Changes debuglogs schema to avoid unecessary str allocation
* Fix the SecUnicodeMapFile and SecUnicodeCodePage
* Changes the timing to save the rule message
* Fix crash in msc_rules_add_file() when using disruptive action in chain
* Fix memory leak in AuditLog::init()
* Fix RulesProperties::appendRules()
* Fix RULE lookup in chained rules
* @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
* Using values after transformation at MATCHED_VARS
* Adds support to UpdateActionById.
* Add correct C function prototypes for msc_init and msc_create_rule_set
* Allow LuaJIT 2.1 to be used
* Match m_id JSON log with RuleMessage and v2 format
* Adds support to setenv action.
* Adds new transaction constructor that accepts the transaction id as
parameter.
* Adds request IDs and URIs to the debug log
* Treating variables exception on load-time instead of run time.
* Fix: function m.setvar in Lua scripts and add testcases
* Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
* Fix OpenBSD build
* Fix parser to support GeoLookup with MaxMind
* parser: Fix simple quote setvar in the end of the line
* Fix pc file
* modsec_rules_check: uses the gnu `.la' instead of `.a' file
* good practices: Initialize variables before use it
* Fix utf-8 character encoding conversion
* Adds support for ctl:requestBodyProcessor=URLENCODED
* Add LUA compatibility for CentOS and try to use LuaJIT first if available
* Allow LuaJIT to be used
* Implement support for Lua 5.1
* Variable names must match fully, not partially. Match should be case
insensitive.
* Improves the performance while loading the rules
* Allow empty strings to be evaluated by regex::searchAll
* Adds basic pkg-config info
* Fixed LMDB collection errors
* Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
* Fix ip tree lookup on netmask content
* Changes the behavior of the default sec actions
* Refactoring on {global,ip,resources,session,tx,user} collections
* Fix race condition in UniqueId::uniqueId()
* Fix memory leak in error message for msc_rules_merge C APIs
* Return false in SharedFiles::open() when an error happens
* Use rvalue reference in ModSecurity::serverLog
* Build System: Fix when multiple lines for curl version.
* Checks if response body inspection is enabled before process it
* Fix setvar parsing of quoted data
* Adds time stamp back to the audit logs
* Disables skip counter if debug log is disabled
* Cosmetics: Represents amount of skipped rules without decimal
* Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
* Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
* Fix memory leak in modsecurity::utils::expandEnv()
* Initialize m_dtd member in ValidateDTD class as NULL
* Fix broken @detectxss operator regression test case
* Fix utils::string::ssplit() to handle delimiter in the end of string
* Fix variable FILES_TMPNAMES
* Fix memory leak in Collections
* Fix lib version information while generating the .so file
* Adds support for ctl:ruleRemoveByTag
* Fix SecUploadDir configuration merge
* Include all prerequisites for "make check" into dist archive
* Fix: Reverse logic of checking output in @inspectFile
* Adds support to libMaxMind
* Adds capture action to detectXSS
* Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
* Adds capture action to detectSQLi
* Adds capture action to rbl
* Adds capture action to verifyCC
* Adds capture action to verifySSN
* Adds capture action to verifyCPF
* Prettier error messages for unsupported configurations (UX)
* Add missing verify*** transformation statements to parser
* Fix a set of compilation warnings
* Check for disruptive action on SecDefaultAction.
* Fix block-block infinite loop.
* Correction remove_by_tag and remove_by_msg logic.
* Fix LMDB compile error
* Fix msc_who_am_i() to return pointer to a valid C string
* Added some cosmetics to autoconf related code
* Fix "make dist" target to include necessary headers for Lua
* Fix "include /foo/*.conf" for single matched object in directory
* Add missing Base64 transformation statements to parser
* Fixed resource load on ip match from file
* Fixed examples compilation while using disable-shared
* Fixed compilation issue while xml is disabled
* Having LDADD and LDFLAGS organized on Makefile.am
* Checking std::deque size before use it
* perf improvement: Added the concept of RunTimeString and removed all run
time parser.
* perf improvement: Checks debuglog level before format debug msg
* perf. improvement/rx: Only compute dynamic regex in case of macro
* Fix uri on the benchmark utility
* disable Lua on systems with liblua5.1

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-257=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 i586 ppc64le s390x x86_64):

libmodsecurity3-3.0.10-bp155.3.3.1
modsecurity-3.0.10-bp155.3.3.1
modsecurity-devel-3.0.10-bp155.3.3.1

- openSUSE Backports SLE-15-SP5 (aarch64_ilp32):

libmodsecurity3-64bit-3.0.10-bp155.3.3.1

- openSUSE Backports SLE-15-SP5 (x86_64):

libmodsecurity3-32bit-3.0.10-bp155.3.3.1

References:

https://www.suse.com/security/cve/CVE-2020-15598.html
https://www.suse.com/security/cve/CVE-2021-42717.html
https://www.suse.com/security/cve/CVE-2023-28882.html
https://www.suse.com/security/cve/CVE-2023-38285.html
https://bugzilla.suse.com/1210993
https://bugzilla.suse.com/1213702