Since there isn't a way to update just yet, it's fine to keep 2.9.3. Our team is working on the update now and I'll be sure to post once there are more details to share.
Hi,
Owasp 3.2.3 and 3.3.4 needs Modsecurity 2.9.6 to work without problems.
The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956
We have to wait for cpanel to update Modsecurity to 2.9.6 and also OWASP to 3.3.4
We are currently using Modsecurity 2.9.3 and OWASP 3.3.2
Hope they release the update quickly
Last edited:
Hi,
are following correct ?
1. that is OWASP CRS's security issue,not modsecurity ?
2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue,
and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ?
CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set
CRS Version 3.3.4 and 3.2.3 fix a regression – OWASP ModSecurity Core Rule Set
3. no matter 3.3.3 or 3.3.4,
all need ModSecurity 2.9.6 to apply,
but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now,
that is why we can not apply CRS 3.3.4,correct ?
are following correct ?
1. that is OWASP CRS's security issue,not modsecurity ?
2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue,
and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ?
CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set
CRS Version 3.3.4 and 3.2.3 fix a regression – OWASP ModSecurity Core Rule Set
3. no matter 3.3.3 or 3.3.4,
all need ModSecurity 2.9.6 to apply,
but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now,
that is why we can not apply CRS 3.3.4,correct ?
Does anybody know if cpanel has plans to keep supporting ModSecurity after Trustwave fully transitions out?
Hi,
1.
The security problem is mainly on OWASP,
Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8.
in any case it also affects Modsecurity < 2.9.6
CVE-2022-39956
Important: The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.
Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.
Releases · SpiderLabs/ModSecurity
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs. It has a robust event-based programmin...
github.com
Modsecurity 2.9.6 increases security in general, there are some important changes
New features and security impacting issues
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2799 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2797 - @terjanq, @martinhsv]
2. Correct
3. Correct
Don't feel too bad.Hi cPRex,
Isn't it that the developers have forgotten?
I'm still awaiting resolution for the issue described at:
In Progress - CPANEL-41308 - Autoresponder - Use of uninitialized value in pattern match
Initially I thought this was part of the problem addressed in CPANEL-40473, but CPANEL-40473 was fixed in cPanel 102.0.20 and the problem I am seeing remains. Apparently the perl code being used in the autoresponder code can't deal with [ and ] characters in the From or Reply-To field. Steps...
And I basically told them how to fix it.
Hi,
I just point out that Modsecurity and OWASP CRS on Plesk 18.0.48 have been updated to 2.9.6 and 3.3.4, three days ago.
If I remember correctly, from 2018 Plesk and Cpanel are practically cousins
docs.plesk.com
We are talking about a very important security update that should still be a priority
I just point out that Modsecurity and OWASP CRS on Plesk 18.0.48 have been updated to 2.9.6 and 3.3.4, three days ago.
If I remember correctly, from 2018 Plesk and Cpanel are practically cousins
Change Log for Plesk Obsidian
Find out about changes, additions and updates to Plesk Obsidian on an iteration to iteration basis.
docs.plesk.com
We are talking about a very important security update that should still be a priority
@cPRex
I think I see some news posted 6 hours ago
github.com
github.com
EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4
Do you have any news on the official release via Easy apache of Modsecurity 2.9.6 and OWASP CRS 3.3.4?
Thanks
I think I see some news posted 6 hours ago
cPanel, L.L.C.
cPanel, L.L.C. has 230 repositories available. Follow their code on GitHub.
github.com
GitHub - CpanelInc/ea-modsec2-rules-owasp-crs
Contribute to CpanelInc/ea-modsec2-rules-owasp-crs development by creating an account on GitHub.
github.com
EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4
Do you have any news on the official release via Easy apache of Modsecurity 2.9.6 and OWASP CRS 3.3.4?
Thanks
EasyApache 4 December 7 Release
We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4! Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on...
- ea-modsec2-rules-owasp-crs
- EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4
- CVE-2022-39955 – Multiple charsets defined in Content-Type header
- CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header fields abuse
- CVE-2022-39957 – Charset accept header field resulting in response rule set bypass
- CVE-2022-39958 – Small range header leading to response rule set bypass
- EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4
- mod_security2
- EA-11068: Update mod_security2 from v2.9.3 to v2.9.6
- CVE - CVE-2022-39956 partial rule set bypass for HTTP multipart requests
- Security: Support configurable limit on depth of JSON parsing (possible DoS issue
- EA-11068: Update mod_security2 from v2.9.3 to v2.9.6
Thanks
That brings a new problem now:
Code:
[root@host ~]# /usr/local/cpanel/scripts/modsec_vendor update --auto
info [modsec_vendor] Updates are in progress for all of the installed ModSecurity vendors with automatic updates enabled.
warn [modsec_vendor] The system could not add the vendor: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.6”. The only versions of ModSecurity this rule set supports are “2.7.5”, “2.7.7”, “2.8.0”, “2.9.0”, “2.9.1”, “2.9.2”, “2.9.3”, and “3.0.4”.
info [modsec_vendor] Restored modsec_cpanel_conf_datastore backup
The system failed to update the vendor from the URL “https://files.imunify360.com/static/modsec/v2/meta_imunify360-full-litespeed.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.6”. The only versions of ModSecurity this rule set supports are “2.7.5”, “2.7.7”, “2.8.0”, “2.9.0”, “2.9.1”, “2.9.2”, “2.9.3”, and “3.0.4”.
warn [modsec_vendor] The system failed to update the vendor from the URL “https://files.imunify360.com/static/modsec/v2/meta_imunify360-full-litespeed.yaml”: The vendor metadata does not contain an entry for your version of ModSecurity, “2.9.6”. The only versions of ModSecurity this rule set supports are “2.7.5”, “2.7.7”, “2.8.0”, “2.9.0”, “2.9.1”, “2.9.2”, “2.9.3”, and “3.0.4”.| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| A | ModSecurity to disable for Wordpress | Security | 8 | |
| K | Modsecurity and cpanel questions | Security | 3 | |
| C | OWASP ModSecurity Core Rule Set 3.3.5 [Security Fix] | Security | 1 | |
|
Allowing HTTP methods PATCH and DELETE in modsecurity | Security | 3 | |
|
ModSecurity: Transformation Caching Unstable, Fixed, But Deprecated | Security | 2 |