SB2023082164 - Fedora EPEL 7 update for libmodsecurity
Published: August 21, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper handling of exceptional conditions (CVE-ID: CVE-2019-25043)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors while parsing key-value pair. A remote attacker can send a specially crafted header to the server and perform a denial of service (DoS) attack, as demonstrated by a "string index out of range" error and worker-process crash for a "Cookie: =abc" header.
2) Resource exhaustion (CVE-ID: CVE-2020-15598)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources while performing global matching of regular expressions in a combination of the ModSecurity “capture” action. A remote attacker can send a specially crafted HTTP request to the server and perform a denial of service (DoS) attack.
3) Protection mechanism failure (CVE-ID: CVE-2021-35368)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures within the default CRS ruleset. An attacker can bypass implemented security restrictions and exploit vulnerabilities in the CMS that is protected with ModSecurity with the OWASP ModSecurity Core Rule Set (CRS).
4) Uncontrolled Recursion (CVE-ID: CVE-2021-42717)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when processing excessively nested JSON objects. A remote attacker can send a specially crafted HTTP request and consume all available worker processes and CPU resources.
Remediation
Install update from vendor's website.