The OWASP ModSecurity Core Rule Set (CRS) team is proud to announce the availability of release candidate 2 (RC2) of the upcoming CRS v4.0.0 release. The release candidate is available for download as a 'release' from our GitHub repository:
This new release candidate includes over 230 changes. Some of the important changes include:
- Add new rule 920620 to explicitly detect multiple Content-Type abuse (CVE-2023-38199) (Andrea Menin)
- Extend definition of restricted headers to include Content-Encoding and Accept-Charset by default (Walter Hop)
- Migrate application exclusions and less-used functionality to plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe)
- Add support for HTTP/3 (Jozef Sudolský)
- Add enable_default_collections flag to not initialize collections by default (Matteo Pace)
- Switch to using wordnet instead of spell for finding English words in spell.sh utility (Max Leske)
Refer to the CHANGES.md file in the release for the full list of changes.
It is important to note that this new release candidate is significantly different to the first release candidate which was announced and made available back in April 2022. Two days after the v4.0.0 RC1 release, the CRS project participated in a bug bounty program in April-May 2022 which resulted in 175 security findings being reported. The decision was made to fix the findings in full for the v4.0.0 release, rather than release a half-baked version 4.0 with many newly discovered holes.
The fixes required a significant amount of work over many months. It was sometimes the case that adding the required new detection would cause unforeseen problems, such as introducing new false positives which then needed to be addressed. Fixing all of the security findings in full required the development of new tooling, new rules, new tests, and new approaches. This all took a lot of time to complete to the high standard expected from the CRS project, resulting in an unfortunate delay to v4.0.0.
As a result of fixing the security findings, the RC2 release features a lot of new detection capability. It is highly likely that new false positives will continue to appear as a result, so it is very important for this new release candidate to be tested as widely as possible. Please test this new release candidate and report any false positives encountered. All feedback and reports are gratefully received and will help to make the final v4.0.0 release the best and most comprehensive CRS release ever!
Andrew Howe on behalf of the Core Rule Set development team