SOLVED [EA-8506] ModSecurity 2.9.3 results in Apache service failures

[cPanelMichael]

Hello Everyone,

The following update to the ea-apache24-mod_security2 RPM was included as part of the initial May 29 EasyApache 4 Release:

EA-8081 - Update Mod_security2 to 2.9.3

Upon the publication of this update, we observed reports of Apache service failures stemming from ModSecurity segmentation faults. Here's an example of the log output observed in /var/log/messages on affected systems:

kernel: [123456.123456] httpd[12345]: segfault at 9 ip 0000000000000000 sp 0000000000000 error 4 in mod_security2.so

We removed the updated ea-apache24-mod_security2 RPM from the EA4 update mirrors to prevent this from affecting additional servers, however it's possible the updated RPM was installed on your server if the update was performed in the first two hours after the initial publication.

To see which ea-apache24-mod_security2 RPM version is installed on your server, execute the following command:

rpm -qa|grep ea-apache24-mod_security2

If the name of the RPM seen in the output of this command starts with ea-apache24-mod_security2-2.9.2, no additional action is required.

If the name of the RPM seen in the output of this command starts with ea-apache24-mod_security2-2.9.3, execute the following commands to downgrade it to the previous version:

yum clean all
yum downgrade ea-apache24-mod_security2

Let us know if you have any questions.

Thank you.

 

[SJR]

Michael, thank you for update. My server received the update to 2.9.3 but I am 'not' experiencing any problems.

1. Do you recommend I do the downgrade anyway?
2. Do you have eta on when this update will be fixed and re-published?

Thank you!

 

[cPanelMichael]

Hello @SJR,

Good question! I recommend downgrading the RPM on production servers even if you don't observe any issues (it's no longer supported and is removed from our EA4 YUM repo). We are definitely planning to patch the RPM and publish it again, but I don't have a firm ETA to provide at this time. I'll update the following thread with more information as soon as it's available:

In Progress - [EA-8081] ModSecurity v2.9.3 update

Thank you.

 

[SJR]

For some reason I am not able to downgrade:

I run:
rpm -qa|grep ea-apache24-mod_security2
I get:
root [/]# rpm -qa|grep ea-apache24-mod_security2
ea-apache24-mod_security2-2.9.3-1.1.1.cpanel.x86_64
root [/]# _

I run:
yum clean all
I get:
root [/]# yum clean all
Loaded plugins: fastestmirror, universal-hooks
Cleaning repos: EA4 cpanel-addons-production-feed cpanel-plugins base extras
: mysql-connectors-community mysql-tools-community
: mysql57-community updates
Other repos take up 1.0 M of disk space (use --verbose for details)
root [/]# _

I run:
yum downgrade ea-apache24-mod_security2
I get:
root [/]# yum downgrade ea-apache24-mod_security2
Loaded plugins: fastestmirror, universal-hooks
Determining fastest mirrors
* EA4: 208.43.108.66
* cpanel-addons-production-feed: 208.43.108.66
* cpanel-plugins: 208.43.108.66
Resolving Dependencies
--> Running transaction check
---> Package ea-apache24-mod_security2.x86_64 0:2.9.2-11.11.7.cpanel will be a downgrade
---> Package ea-apache24-mod_security2.x86_64 0:2.9.3-1.1.1.cpanel will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository
Size
================================================================================
Downgrading:
ea-apache24-mod_security2 x86_64 2.9.2-11.11.7.cpanel EA4 253 k

Transaction Summary
================================================================================
Downgrade 1 Package

Total download size: 253 k

And then the server seems to hang for a very long time...
If I now run again:
rpm -qa|grep ea-apache24-mod_security2
I still get:
root [/]# rpm -qa|grep ea-apache24-mod_security2
ea-apache24-mod_security2-2.9.3-1.1.1.cpanel.x86_64
root [/]# _

If I run again:
yum clean all
I now get this message repeating over and over:
Another app is currently holding the yum lock; waiting for it to exit...
The other application is: yum
Memory : 121 M RSS (491 MB VSZ)
Started: Thu May 30 09:51:22 2019 - 08:15 ago
State : Sleeping, pid: 22926

Any suggestions with this?
Thank you!

 

[cPanelMichael]

Another app is currently holding the yum lock; waiting for it to exit...

Hello @SJR,

It looks like a YUM process is hanging on your server. You can identify the hanging process ID with the following command:

ps auxfww | grep yum

Use the "kill -9 $PID" command to kill any YUM processes that are hanging, and then run "yum clean all" again to see if that helps.

Thank you.

 

[cPanelMichael]

Hello Everyone,

Mod_Security version 2.9.3 was published as part of today's EasyApache 4 release:

EA-8506: Fix update to Mod_Security 2.9.3: Update is segfaulting on some servers

The full EasyApache 4 change log is available on the link below:

EasyApache 4 Change Log 2019 - EasyApache 4 - cPanel Documentation

Thank you.