CRS version 4.1.0 released
Last week, we have released CRS v4.1.0. The new release is the first according to the new monthly release schedule and brings a couple of new features and fixes. It includes quality improvements via better rule linting and fixes for false positives across a handful of rules. And: new developer Esad Cetiner has joined the team intime for the 4.1 release. Read the changelog here.
Let CRS 4 be your valentine!
What a Valentine’s Day present we have got for you: today, the Core Rule Set project is releasing CRS 4! Finally, you may say – and would be absolutely right: it took us a long time to get there. But we wanted to do it right, especially after the bug bounty program we took part in left us with over 500 individual findings in roughly 180 reports. Fixing all these needed more time than we originally thought. But the result is a CRS that has never been more secure.
CVE-2021-35368 - CRS Request Body Bypass (Update)
There is a severe security issue in our rule set. It has been present since the release of CRS 3.1.0 and was recently brought to our attention. Here is the official advisory that we are also publishing as CVE-2021-35368 via MITRE (as usual, MITRE will take a few days until they publish this). Offical Advisory for CVE-2021-35368 The OWASP ModSecurity Core Rule Set (CRS) is affected by a request body bypass that abuses trailing pathname information. A backend vulnerability can thus be exploited despite being protected with the CRS Web Application Firewall rule set when an application server accepts additional path info as part of the request URI. All known CRS installations that offer the predefined CRS rule exclusion packages are affected. This applies to end-of-life CRS versions 3.0.x, 3.1.0, 3.1.1 as well as the currently supported versions 3.2.0 and 3.3.0. Integrators and users are advised to upgrade to 3.1.2, 3.2.1 and 3.3.2 respectively.
OWASP ModSecurity Core Rule Set v3.3.0 available
The OWASP ModSecurity Core Rule Set team is proud to announce the final release for CRS v3.3.0. For downloads and installation instructions, please see the Installation page. This release packages many changes, such as: Block backup files ending with ~ in filename (Andrea Menin) Detect ffuf vuln scanner (Will Woodson) Detect Nuclei vuln scanner (azurit) Detect SemrushBot crawler (Christian Folini) Detect WFuzz vuln scanner (azurit) New LDAP injection rule (Christian Folini) New HTTP Splitting rule (Andrea Menin) Add .swp to restricted extensions (Andrea Menin) Allow CloudEvents content types (Bobby Earl) Add CAPEC tags for attack classification (Fernando Outeda, Christian Folini) Detect Unix RCE bypass techniques via uninitialized variables, string concatenations and globbing patterns (Andrea Menin) Many improvements to lower the number of false positives and improve attack detections Important upgrade notes:
OWASP ModSecurity Core Rule Set v3.3.0 Release Candidate 1 available
The OWASP ModSecurity Core Rule Set team is proud to announce the release candidate 1 for the upcoming CRS v3.3.0 release. The release candidate is available at: https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.tar.gz https://github.com/coreruleset/coreruleset/archive/v3.3.0-rc1.zip This release packages many changes, such as: New rule to detect LDAP injection New HTTP Splitting rule Block backup files ending with ~ in filename Detect ffuf, Semrush and WFuzz scanners Updated exclusion profiles for Nextcloud, WordPress and XenForo Improvements to many patterns to improve detection and lower false alarms Important note: The format of configuration setting allowed_request_content_type has been changed to be more in line with other variables. If you had manually changed this setting, then you need to update this configuration setting. Please see the example rule 900220 in crs-setup.conf.example. If you didn’t change this setting, you don’t need to do anything.
Announcement: OWASP ModSecurity Core Rule Set Version 3.2.0-RC2
The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 2 for the upcoming CRS v3.2.0. The new release is available at https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.zip https://github.com/coreruleset/coreruleset/archive/v3.2.0-rc2.tar.gz This release represents a very big step forward in terms of both capabilities and protections including: Improved compatibility with ModSecurity 3.x Improved CRS docker container that is fully configureable at creation Expanded Java RCE blacklist Expanded unix shell RCE blacklist Improved PHP RCE detection New javascript/Node.js RCE detection Expanded LFI blacklists Added XenForo rule exclusion profile Fixes for many false positives and bypasses Detection of more security scanners Regexp performance improvements preventing ReDoS in most cases Please see the CHANGES document with around 150 entries for a detailed list of new features and improvements. https://github.com/coreruleset/coreruleset/blob/v3.2.0-rc2/CHANGES