libmodsecurity3 CVE-2023-38285 affecting CRS users
Many CRS users have probably read Trustwave’s recent announcement about the new version of libmodsecurity3 (aka ModSecurity v3) and the reason for the release: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ The new version of the WAF library fixes a CVE described issue, namely: “DoS Vulnerability in Four Transformations”. We would like to draw the attention of all CRS users who also use libmodsecurity3 to update the library as soon as possible. CRS uses one of the mentioned transformations (removeNull) in several rules. Unfortunately, after analyzing the patch that fixes the bug, we were able to construct a payload that overloaded the libmodsecurity3 engine which many people use with CRS.