Modsecurity 2.9.6 [Fix Security]

ciao70

Well-Known Member
Nov 3, 2006
130
23
168
Hi,

is it fine to keep 2.9.3 and owasp 3.2.2 ? or it is urgent and important to use 2.9.6 and 3.3.4 asap ?
Hi,

Owasp 3.2.3 and 3.3.4 needs Modsecurity 2.9.6 to work without problems.


The security update for CRS rules is a critical update and requires ModSecurity 2.9.6 to be able to update CRS to the latest version 3.2.3 or 3.3.4 otherwise CVE-2022-39956

We have to wait for cpanel to update Modsecurity to 2.9.6 and also OWASP to 3.3.4

We are currently using Modsecurity 2.9.3 and OWASP 3.3.2

Hope they release the update quickly :)
 
Last edited:
  • Like
Reactions: cPRex

tyuuu

Well-Known Member
Oct 16, 2005
81
0
156
Hi,



are following correct ?



1. that is OWASP CRS's security issue,not modsecurity ?


2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue,
and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ?

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set
CRS Version 3.3.4 and 3.2.3 fix a regression – OWASP ModSecurity Core Rule Set


3. no matter 3.3.3 or 3.3.4,
all need ModSecurity 2.9.6 to apply,
but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now,
that is why we can not apply CRS 3.3.4,correct ?
 

ciao70

Well-Known Member
Nov 3, 2006
130
23
168
Hi,



are following correct ?



1. that is OWASP CRS's security issue,not modsecurity ?


2. September 19, 2022 release both 3.3.3 and 3.2.2 to fix the secure issue,
and September 20, 2022 release 3.3.4/3.2.3 to fix 3.3.3/3.2.2's bug ?

CRS Version 3.3.3 and 3.2.2 (covering several CVEs) – OWASP ModSecurity Core Rule Set
CRS Version 3.3.4 and 3.2.3 fix a regression – OWASP ModSecurity Core Rule Set


3. no matter 3.3.3 or 3.3.4,
all need ModSecurity 2.9.6 to apply,
but cpanel only support ModSecurity 2.9.3 and CRS 3.3.2 now,
that is why we can not apply CRS 3.3.4,correct ?

Hi,

1.

The security problem is mainly on OWASP,

Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8.



in any case it also affects Modsecurity < 2.9.6

CVE-2022-39956

Important:
The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6/v3.0.8) or an updated version with backports of the security fixes in these versions.
If you fail to update ModSecurity, the webserver/engine will refuse to start with the following error message: "Error creating rule: Unknown variable: MULTIPART_PART_HEADERS".
You can disable/remove the rule file REQUEST-922-MULTIPART-ATTACK.conf from the release in order to allow you to run the latest CRS without a fix to CVE-2022-39956, however we advise against this workaround.
Please note that we plan to move the rules in REQUEST-922-MULTIPART-ATTACK.conf to the 920 or 921 rule files in the future. The rules are kept separate for the time being to accommodate users who can't update ModSecurity or where the engine does not yet support the new variables/collections.


Modsecurity 2.9.6 increases security in general, there are some important changes
New features and security impacting issues


It is important to first update Modsecurity to 2.9.6 and then OWASP

2. Correct

3. Correct
 

sparek-3

Well-Known Member
Aug 10, 2002
2,120
255
388
cPanel Access Level
Root Administrator
Hi cPRex,

Isn't it that the developers have forgotten? :)
Don't feel too bad.

I'm still awaiting resolution for the issue described at:


And I basically told them how to fix it.
 

ciao70

Well-Known Member
Nov 3, 2006
130
23
168
Hi,


I just point out that Modsecurity and OWASP CRS on Plesk 18.0.48 have been updated to 2.9.6 and 3.3.4, three days ago.

If I remember correctly, from 2018 Plesk and Cpanel are practically cousins


We are talking about a very important security update that should still be a priority
 

ciao70

Well-Known Member
Nov 3, 2006
130
23
168
@cPRex

I think I see some news posted 6 hours ago



EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4

Do you have any news on the official release via Easy apache of Modsecurity 2.9.6 and OWASP CRS 3.3.4?

Thanks