Bug 867424 (CVE-2012-4528)

Summary: CVE-2012-4528 mod_security: multipart/invalid part ruleset bypass
Product: [Other] Security Response Reporter: Athmane Madjoudj <athmanem>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, jlieskov, jrusnack, pvrabec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: impact=moderate,public=20121015,reported=20121017,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,fedora-all/mod_security=affected,epel-all/mod_security=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 867773, 867774    
Bug Blocks:    

Description Athmane Madjoudj 2012-10-17 09:35:35 EDT
ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)

http://seclists.org/fulldisclosure/2012/Oct/113

CVE request: http://www.openwall.com/lists/oss-security/2012/10/17/1

Packages in EPEL and Fedora are affected, update will be released today.
Comment 1 Jan Lieskovsky 2012-10-18 05:01:19 EDT
Thank you for your report, Athmane.
Comment 2 Jan Lieskovsky 2012-10-18 05:02:41 EDT
Relevant upstream patch seems to be this one:
[1] http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081

but checking with Breno Silva yet:
[2] http://www.openwall.com/lists/oss-security/2012/10/18/7

to confirm / disprove it.
Comment 4 Jan Lieskovsky 2012-10-18 05:28:28 EDT
This issue affects the versions of the mod_security package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the versions of the mod_security package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 5 Jan Lieskovsky 2012-10-18 05:29:57 EDT
Created mod_security tracking bugs for this issue

Affects: fedora-all [bug 867773]
Affects: epel-all [bug 867774]
Comment 6 Jan Lieskovsky 2012-10-18 09:04:51 EDT
Above patch confirmed by Breno Silva (that reply doesn't look to be able to make it to OSS list yet, inlining below):
--
Hello Jan,

Yes i can confirm the issue and the patch.

Thanks

Breno
--

Please schedule the updates.
Comment 7 Vincent Danen 2012-10-18 16:42:50 EDT
This was assigned CVE-2012-4528:

http://www.openwall.com/lists/oss-security/2012/10/18/14
Comment 8 Fedora Update System 2012-11-23 03:07:51 EST
mod_security_crs-2.2.6-3.fc18, mod_security-2.7.1-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-01 03:36:15 EST
mod_security_crs-2.2.6-3.fc17, mod_security-2.7.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-03 15:36:06 EST
mod_security-2.6.8-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-13 15:05:43 EST
mod_security-2.7.1-3.el6, mod_security_crs-2.2.6-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.