2226930 – (CVE-2023-38285) CVE-2023-38285 mod_security: DoS Vulnerability in Four Transformations

Bug 2226930 (CVE-2023-38285) - CVE-2023-38285 mod_security: DoS Vulnerability in Four Transformations

Summary: CVE-2023-38285 mod_security: DoS Vulnerability in Four Transformations

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-38285
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2227131 2226932 2226933
Blocks:	2226931
TreeView+	depends on / blocked

Reported:	2023-07-27 04:14 UTC by Sandipan Roy
Modified:	2023-08-01 11:58 UTC (History)
CC List:	10 users (show)
Fixed In Version:	ModSecurity 3.0.10
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Trustwave's ModSecurity project due to an inefficient algorithmic complexity flaw. This issue is present in four transformation actions: removeWhitespace, removeNull, replaceNull, and removeCommentsChar. By sending a maliciously crafted HTTP request, an attacker could trigger worst-case performance, causing a denial of service.
Clone Of:
Environment:
Last Closed:	2023-08-01 11:58:31 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sandipan Roy 2023-07-27 04:14:00 UTC

Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
https://www.trustwave.com/en-us/resources/security-resources/software-updates/end-of-sale-and-trustwave-support-for-modsecurity-web-application-firewall/

Comment 2 TEJ RATHI 2023-07-27 04:43:48 UTC

Upstream Commit: https://github.com/SpiderLabs/ModSecurity/commit/ab5658f2d4cfa5126db256cf3f9dcb299982366d

Comment 5 TEJ RATHI 2023-07-28 05:27:12 UTC

Created mod_security3 tracking bugs for this issue:

Affects: fedora-all [bug 2227131]

Comment 6 TEJ RATHI 2023-07-28 05:46:17 UTC

Statement: ModSecurity v2.x is not affected. CVE-2023-38285 only affects ModSecurity v3.x releases. None of our products ships ModSecurity v3.x builds. Hence, Red Hat Enterprise Linux, Red Hat Software Collections and Red Hat JBoss Core Services are not affected by this CVE.

Comment 7 Product Security DevOps Team 2023-08-01 11:58:30 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-38285

Note You need to log in before you can comment on or make changes to this bug.