Bug 2226930 (CVE-2023-38285)

Summary: CVE-2023-38285 mod_security: DoS Vulnerability in Four Transformations
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, hhorak, jclere, jorton, luhliari, mturk, peholase, pjindal, plodge, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ModSecurity 3.0.10 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Trustwave's ModSecurity project due to an inefficient algorithmic complexity flaw. This issue is present in four transformation actions: removeWhitespace, removeNull, replaceNull, and removeCommentsChar. By sending a maliciously crafted HTTP request, an attacker could trigger worst-case performance, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-01 11:58:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2227131, 2226932, 2226933    
Bug Blocks: 2226931    

Description Sandipan Roy 2023-07-27 04:14:00 UTC 
Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/
Comment 2 TEJ RATHI 2023-07-27 04:43:48 UTC 
Upstream Commit: https://github.com/SpiderLabs/ModSecurity/commit/ab5658f2d4cfa5126db256cf3f9dcb299982366d
Comment 5 TEJ RATHI 2023-07-28 05:27:12 UTC 
Created mod_security3 tracking bugs for this issue:

Affects: fedora-all [bug 2227131]
Comment 6 TEJ RATHI 2023-07-28 05:46:17 UTC 
Statement: ModSecurity v2.x is not affected. CVE-2023-38285 only affects ModSecurity v3.x releases. None of our products ships ModSecurity v3.x builds. Hence, Red Hat Enterprise Linux, Red Hat Software Collections and Red Hat JBoss Core Services are not affected by this CVE.
Comment 7 Product Security DevOps Team 2023-08-01 11:58:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38285