Bug 867424 (CVE-2012-4528)

Summary: CVE-2012-4528 mod_security: multipart/invalid part ruleset bypass
Product: [Other] Security Response Reporter: Othman Madjoudj <athmanem>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athmanem, jlieskov, jrusnack, pvrabec
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:59:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 867773, 867774    
Bug Blocks:    

Description Othman Madjoudj 2012-10-17 13:35:35 UTC 
ModSecurity <= 2.6.8 is vulnerable to multipart/invalid part ruleset bypass, this was fixed in 2.7.0 (released on2012-10-16)

http://seclists.org/fulldisclosure/2012/Oct/113

CVE request: http://www.openwall.com/lists/oss-security/2012/10/17/1

Packages in EPEL and Fedora are affected, update will be released today.
Comment 1 Jan Lieskovsky 2012-10-18 09:01:19 UTC 
Thank you for your report, Athmane.
Comment 2 Jan Lieskovsky 2012-10-18 09:02:41 UTC 
Relevant upstream patch seems to be this one:
[1] http://mod-security.svn.sourceforge.net/viewvc/mod-security?view=revision&sortby=date&revision=2081

but checking with Breno Silva yet:
[2] http://www.openwall.com/lists/oss-security/2012/10/18/7

to confirm / disprove it.
Comment 3 Jan Lieskovsky 2012-10-18 09:27:16 UTC 
References:
[3] http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES
Comment 4 Jan Lieskovsky 2012-10-18 09:28:28 UTC 
This issue affects the versions of the mod_security package, as shipped with Fedora release of 16 and 17. Please schedule an update.

--

This issue affects the versions of the mod_security package, as shipped with Fedora EPEL 5 and Fedora EPEL 6. Please schedule an update.
Comment 5 Jan Lieskovsky 2012-10-18 09:29:57 UTC 
Created mod_security tracking bugs for this issue

Affects: fedora-all [bug 867773]
Affects: epel-all [bug 867774]
Comment 6 Jan Lieskovsky 2012-10-18 13:04:51 UTC 
Above patch confirmed by Breno Silva (that reply doesn't look to be able to make it to OSS list yet, inlining below):
--
Hello Jan,

Yes i can confirm the issue and the patch.

Thanks

Breno
--

Please schedule the updates.
Comment 7 Vincent Danen 2012-10-18 20:42:50 UTC 
This was assigned CVE-2012-4528:

http://www.openwall.com/lists/oss-security/2012/10/18/14
Comment 8 Fedora Update System 2012-11-23 08:07:51 UTC 
mod_security_crs-2.2.6-3.fc18, mod_security-2.7.1-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-12-01 08:36:15 UTC 
mod_security_crs-2.2.6-3.fc17, mod_security-2.7.1-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2012-12-03 20:36:06 UTC 
mod_security-2.6.8-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2012-12-13 20:05:43 UTC 
mod_security-2.7.1-3.el6, mod_security_crs-2.2.6-3.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Product Security DevOps Team 2019-06-10 10:59:30 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.