Bug 2131321 (CVE-2022-39958)

Summary: CVE-2022-39958 mod_security_crs: Small range header leading to response rule set bypass
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, luhliari
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mod_security_crs 3.2.2, mod_security_crs 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the OWASP ModSecurity Core Rule Set. Repeated payloads with a HTTP range header field with a small byte range allows a response body bypass, resulting in access to restricted resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2131322, 2131350, 2131351    
Bug Blocks: 2128790    

Description Guilherme de Almeida Suckevicz 2022-09-30 17:11:47 UTC 
The OWASP ModSecurity Core Rule Set (CRS) is affected by a response body bypass to sequentially exfiltrate small and undetectable sections of data by repeatedly submitting an HTTP Range header field with a small byte range. A restricted resource, access to which would ordinarily be detected, may be exfiltrated from the backend, despite being protected by a web application firewall that uses CRS. Short subsections of a restricted resource may bypass pattern matching techniques and allow undetected access. The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the currently supported versions 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 and 3.3.3 respectively and to configure a CRS paranoia level of 3 or higher.

Reference:
https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
Comment 1 Guilherme de Almeida Suckevicz 2022-09-30 17:12:01 UTC 
Created mod_security_crs tracking bugs for this issue:

Affects: fedora-all [bug 2131322]