Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2101020

Summary: RESPONSE_STATUS rule breaks with larger 500 response
Product: Red Hat Enterprise Linux 8 Reporter: Aaron Ogburn <aogburn>
Component: mod_security_crsAssignee: Tomas Korbar <tkorbar>
Status: CLOSED ERRATA QA Contact: Branislav NĂ¡ter <bnater>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.8CC: dmasirka, luhliari, mosvald, tkorbar
Target Milestone: rcKeywords: TestCaseProvided, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: mod_security_crs-3.3.0-4.el8 Doc Type: If docs needed, set a value
Doc Text:
Cause: Response status rule was in phase 4 and evaluated too late. Consequence: Truncated 5xx response could get through mod security, if ProxyIOBufferSize was exceeded, instead of the proper 403 status response. Fix: The appropriate rule was moved to phase 3 and early blocking feature backported. Result: Proper 403 response is now sent to client in case of proxying servers 5xx response bigger than ProxyIOBufferSize.
 Story Points: ---
Clone Of:
: 2115313 2124200 (view as bug list) Environment:
Last Closed: 2023-05-16 08:38:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2115313, 2124200    
Deadline: 2022-10-24   

Description Aaron Ogburn 2022-06-24 21:23:45 UTC 
Description of problem:

The RESPONSE_STATUS rule from RESPONSE-950-DATA-LEAKAGES.conf fails with a larger proxied 500 response or if some smaller response spans packets.  Instead of turning it to a 403, it still returns the backend app 500 and it may also truncate the 500 response.

Version-Release number of selected component (if applicable):

latest


How reproducible:

Always with large 500 response exceeding default 8kb ProxyIOBufferSize


Steps to Reproduce:
1. install httpd, mod_security and mod_security_crs
2. Enable paranoia level 2 

SecAction \
  "id:900000,\
   phase:1,\
   nolog,\
   pass,\
   t:none,\
   setvar:tx.paranoia_level=2"

3. Set up a  simple proxy pass to some local app backend

ProxyPass / http://localhost:8080/

4. Run an app server like Tomcat or JBoss with the reproducer deployed
5. Request http://localhost/reproducer/500.jsp for a large response that gives a 500. Request http://localhost/reproducer/small500.jsp for a control that will work with a 403.  Request http://localhost/reproducersmall500.jsp?length=9000 to break that control case with a larger content length.

Actual results:

500 is returned with a possible incomplete body

Expected results:

Desired 403 is returned instead of backend app 500


Additional info:

This occurs because the rule runs on phase 4 and interjects only after mod_proxy has already started flushing some 500 app response to the client.  Thus, it may block smaller responses that weren't flushed before phase 4 or it truncates 500s that started flushing before phase 4.  The rule needs to block the 500 response in phase 3 instead.  A standalone rule outside the core rule set like this works:

SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
    "id:950101,\
    phase:3,\
    deny,\
    t:none,\
    msg:'The Application Returned a 500-Level Status Code',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    ctl:auditLogParts=+E,\
    severity:'ERROR'"

Adjusting these rules from the core rule set to operate in phase 3 fixes the issue as well:

RESPONSE-959-BLOCKING-EVALUATION.conf:

SecRule TX:PARANOIA_LEVEL "@ge 2" \
    "id:959061,\
    phase:3,\
    pass,\
    t:none,\
    nolog,\
    setvar:'tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl2}'"

SecRule TX:OUTBOUND_ANOMALY_SCORE "@ge %{tx.outbound_anomaly_score_threshold}" \
    "id:959100,\
    phase:3,\
    deny,\
    t:none,\
    msg:'Outbound Anomaly Score Exceeded (Total Score: %{TX.OUTBOUND_ANOMALY_SCORE})',\
    tag:'anomaly-evaluation',\
    ver:'OWASP_CRS/3.3.0',\
    setvar:'tx.anomaly_score=+%{tx.outbound_anomaly_score}'"

RESPONSE-950-DATA-LEAKAGES.conf:

SecRule RESPONSE_STATUS "@rx ^5\d{2}$" \
    "id:950100,\
    phase:3,\
    block,\
    capture,\
    t:none,\
    msg:'The Application Returned a 500-Level Status Code',\
    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
    tag:'application-multi',\
    tag:'language-multi',\
    tag:'platform-multi',\
    tag:'attack-disclosure',\
    tag:'PCI/6.5.6',\
    tag:'paranoia-level/2',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152',\
    ctl:auditLogParts=+E,\
    ver:'OWASP_CRS/3.3.0',\
    severity:'ERROR',\
    setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}',\
    setvar:'tx.anomaly_score_pl2=+%{tx.error_anomaly_score}'"

But this is a larger overall concern that the core rule set has many rules delegated to phase 4.  Those other rules still depend on the PARANOIA_LEVEL/OUTBOUND_ANOMALY_SCORE rules operating in phase 4 so it's not really proper to move them to phase 3. 

This RESPONSE_STATUS is changed to phase 3 in latest 4.0.0 candidate release core rule set:

https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/RESPONSE-959-BLOCKING-EVALUATION.conf#L175

But 4.0.0 still doesn't block in phase 3 here by default without an additional EARLY_BLOCKING setting:

https://github.com/coreruleset/coreruleset/blob/v4.0/dev/rules/RESPONSE-959-BLOCKING-EVALUATION.conf#L175


So it blocks based on the 500 response anomaly score only in phase 4 by default to induce the same issue.  But this quite recent early blocking addition is detailed further here and was first released just a few months ago in a 4.0.0 release candidate:

https://coreruleset.org/20220428/coreruleset-v4-rc1-available/
https://coreruleset.org/20220302/the-case-for-early-blocking/


So I tested with it set for early_blocking like so on the 4.0.0 candidate:

SecAction \
  "id:900120,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.early_blocking=1"

This now enabled the block to be done if needed based on the anomaly score in phase 3 and this corrected the issue as expected on the latest 4.0.0 candidate rule set.


Would we consider updating to 4.0.0+ with early blocking or consider backporting that?  Or implement any other improvement to allow such a RESPONSE_STATUS rule to work in our older core rule set versions?
Comment 40 errata-xmlrpc 2023-05-16 08:38:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (mod_security_crs bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:2846
Comment 41 Red Hat Bugzilla 2023-09-18 04:40:11 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days