Bug 2131317 (CVE-2022-39956)

Summary: CVE-2022-39956 mod_security_crs: Content-Type or Content-Transfer-Encoding MIME header fields abuse
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, luhliari, werner.klein
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_security_crs 3.2.2, mod_security_crs 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the OWASP ModSecurity Core Rule Set. A payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields allows HTTP multipart requests to bypass detection.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2131318, 2131346, 2131347    
Bug Blocks: 2128790    

Description Guilherme de Almeida Suckevicz 2022-09-30 17:03:56 UTC
The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rule set bypass for HTTP multipart requests by submitting a payload that uses a character encoding scheme via the Content-Type or the deprecated Content-Transfer-Encoding multipart MIME header fields that will not be decoded and inspected by the web application firewall engine and the rule set. The multipart payload will therefore bypass detection. A vulnerable backend that supports these encoding schemes can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 respectively. The mitigation against these vulnerabilities depends on the installation of the latest ModSecurity version (v2.9.6 / v3.0.8).

Reference:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/

Comment 1 Guilherme de Almeida Suckevicz 2022-09-30 17:04:11 UTC
Created mod_security_crs tracking bugs for this issue:

Affects: fedora-all [bug 2131318]