Operating System:

[Debian]

Published:

27 January 2023

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2023.0490 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.0490
                    modsecurity-apache security update
                              27 January 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           modsecurity-apache
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2023-24021 CVE-2022-48279 CVE-2022-39956

Original Bulletin: 
   http://www.debian.org/lts/security/2023/dla-3283

Comment: CVSS (Max):  9.8 CVE-2022-39956 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: [NVD], Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3283-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                         Tobias Frost
January 26, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : modsecurity-apache
Version        : 2.9.3-1+deb10u2
CVE ID         : CVE-2022-48279 CVE-2023-24021
Debian Bug     : 1029329

Multiple issues were found in modsecurity-apache, open source, cross
platform web application firewall (WAF) engine for Apache which allows
remote attackers to bypass the applications firewall and other
unspecified impact.

CVE-2022-48279

    In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart
    requests were incorrectly parsed and could bypass the Web Application
    Firewall.
    NOTE: this is related to CVE-2022-39956 but can be considered
    independent changes to the ModSecurity(C language) codebase.

CVE-2023-24021

    Incorrect handling of null-bytes in file uploads in ModSecurity
    before 2.9.7 may allow for Web Application Firewall bypasses and
    buffer iverflows on the Web Application Firewall when executing
    rules reading the FILES_TMP_CONTENT collection.

For Debian 10 buster, these problems have been fixed in version
2.9.3-1+deb10u2.

We recommend that you upgrade your modsecurity-apache packages.

For the detailed security status of modsecurity-apache please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/modsecurity-apache

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


- -----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE/d0M/zhkJ3YwohhskWT6HRe9XTYFAmPSymsACgkQkWT6HRe9
XTbptBAAowXyB5ihOtsjjmiAlPeK+Ku9mEzhNN/Fl+VBx3BfSc+nNKe++SWfo5Qm
e6IMu6+Lg11D62hiTa0pn2xWErcpTTfxdmq83Ow/rakNst5yYkD7UKP/9r08+ORu
dKGIs7t0Fos2BaIrvB1UzU4cnQQ3sZi+RWeZEmqQiJ/6dJPM8E7SDypmG4WUK9hg
fveeTv0tTbq+0tkv91mUQ+lHRinxcYAm85dQqzLWO+IzUAZ00nX/Nb8jXsjFC1G0
6zRnlJpPxW8xZcmbVu28D/j7Ia/Zx32gvBrY8YDpIcAd9yYA0Q0DZD4tmuo3P5pr
S6TDgb6y7en1RM2GOAsBpb9G53fsE0E+w/B6IhVsP9wzxOmB4Vn88VO2HZbmGvm2
M0tC0pm95AR+bhjmxDdd0GhVcm9snQMoEvphIg+90yQWARbWF/c7/t0ageuyQNVm
d+iTCTuILXQXb5fhogqgzJFWCn5t07DYzlP4cHGqxrHtjH7Z9KVZ6OMT3NxorQab
ZZVlc84/pUq64epvOB2z2Bj/w5G6Y9zLb4ZPGxuEtHai4swjUvGrKXEJC6goFYXL
NsNEZvYn33ZiyFJe2tt01psC3xwaZsPv0HxQg2P1mMy33jgqh/jWfsPi6JRLkEoA
JlOCc29BQVxHlCLouSSeasmbJgvDzMqprT1PtjghL/LXz1xj34c=
=1MW3
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY9NTVMkNZI30y1K9AQg5mA/+MUf8MRhpw6DKERDIV8NYZGL+KTvtJ9BJ
95wY7PzeJDBhDi7zmcs6fCpzYWf+dy8Lgb7MLTOW1wLN4m/9hRMulq6FJaeezu+X
jC9X82G3SQ0LX/FXBAbD80RiVToPfrFH+//CsOXKJ+mi7y/XtcBiJ5EIeNedk8EB
vWXLuLWu1LVyR23Sc9Oyg/orkUPxftxDvLCT2ie1CSHWqCJP/JW3R0oXvKDngEh6
4nzEPvb9qN/BQ3ApmlL4mVcA3q26MXrtoc/TDWmzkffjtIrbRiWozP0zg+QgDJQc
yGgBFiVExhuSUeb35gAVCB8kIUlJ8pegUgkvcQtHQ37+4yCD1UcyFI1qjr6I7xai
D/dLyBMyVAkdjO7AZT9KK4ARIvF96v+r0jvdKMODoHH8HmtFiB9SC6xNI3KLF6WU
M2lc2acAi120xWRNztWjPLPoGWiWt+nTR0W7Nlg+u72lmnK+sb2oJ9Ss9EUC+T/F
HCNsm9XF6Z8fEfPmfHoNysGUkYCB7yplE+inoXACztPKoXHMWiAXI1q5/WdHbP1w
WKOGrrbFLHFEuCx0T/5hU3aYaLTo6P4H/TZX590/wiig0M6Ge68HkkYUinKrux+z
2L5K6tZzpBg8lFw2tOavLppQBdqrQsZj/Nu9Ga1KYyuI9XnPdFpVCP3Sk7XC+TH7
cVCsZzQDGJc=
=ft9l
-----END PGP SIGNATURE-----