libmodsecurity3 CVE-2023-38285 affecting CRS users

Many CRS users have probably read Trustwave’s recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release:

The new version of the WAF library fixes a CVE described issue, namely: “DoS Vulnerability in Four Transformations”.

We would like to draw the attention of all CRS users who also use libmodsecurity3 to update the library as soon as possible. CRS uses one of the mentioned transformations (removeNull) in several rules. Unfortunately, after analyzing the patch that fixes the bug, we were able to construct a payload that overloaded the libmodsecurity3 engine which many people use with CRS.

It is important to emphasize that this new vulnerability is not CRS’s fault - the bug affects only libmodsecurity3. If you use Apache and mod_security2 (the CRS reference platform) then your system is not affected.

A side note: if your libmodsecurity3 engine runs in DetectionOnly mode then the solution mentioned in Trustwave’s blog post has no effect, but the described issue in the CVE is still presented.

Friends of the CRS project Digitalwave have updated their ModSecurity repository so that it now contains the new version of libmodsecurity3 for supported systems (Debian 10, 11, and 12, and Ubuntu 18.04, 20.04, and 22.04). It also contains the new CRS version (3.3.5). The CRS project endorses the use of the Digitalwave packages, namely with some distros falling behind with updates for ModSecurity and or OWASP CRS.

Ervin Hegedüs