ModSecurity Versions Save

Security impacting issue

• Change REQUEST_FILENAME and REQUEST_BASENAME behavior [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween] WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019.

Enhancements and bug fixes

• Set the minimum security protocol version (TLSv1.2) for SecRemoteRules [Issue security/code-scanning/2 - @airween]

Security impacting issue

• Add WRDE_NOCMD to wordexp call [Issue #3024 - @sahruldotid, @martinhsv ] Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.

New feature

• Add support for expirevar action [Issue #1803, #3001 - @martinhsv]

Enhancements and bug fixes

• Fix: validateDTD compile fails if libxml2 not installed [Issue #3014 - @zangobot, @martinhsv]
• Fix memory leak of validateDTD's dtd object [Issue #3008 - @martinhsv, @zimmerle ]
• Fix memory leaks in ValidateSchema [Issue #3005 - @martinhsv, @zimmerle]
• Fix: lmdb regex match on non-null terminated string [Issue #2985 - @martinhsv]
• Fix memory leaks in lmdb code (new'd strings) [Issue #2983 - @martinhsv]
• Configure: add additional name to pcre2 pkg-config list [Issue #2939 - @agebhar1, @fzipi, @martinhsv]

Security impacting issue

• Fix: worst-case time in implementation of four transformations [Issue #2934 - @martinhsv] Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Enhancements and bug fixes

• Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED [Issue #2901 - @airween]
• Make MULTIPART_PART_HEADERS accessible to lua [Issue #2916 - @martinhsv]
• Fix: Lua scripts cannot read whole collection at once [Issue #2900 - @udi-aharon, @airween, @martinhsv]
• Fix: quoted Include config with wildcard [Issue #2905 - @wiseelf, @airween, @martinhsv]
• Support isolated PCRE match limits [Issue #2736 - @brandonpayton, @martinhsv]
• Fix: meta actions not applied if multiMatch in first rule of chain [Issue #2867, #2868 - @mlevogiannis, @martinhsv]
• Fix: audit log may omit tags when multiMatch [Issue #2866 - @mlevogiannis]
• Exclude CRLF from MULTIPART_PART_HEADER value [Issue #2870 - @airween, @martinhsv]
• Configure: use AS_ECHO_N instead echo -n [Issue #2894 - @liudongmiao, @martinhsv]
• Adjust position of memset from 2890 [Issue #2891 -@mirkodziadzka-avi, @martinhsv]

Security issue

• Add some member variable inits in Transaction class (possible segfault) [Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]

Enhancements and bug fixes

• Fix: possible segfault on reload if duplicate ip+CIDR in ip match list [Issue #2877, #2890 - @tomsommer, @martinhsv]
• Resolve memory leak on reload (bison-generated variable) [Issue #2876 - @martinhsv]
• Support equals sign in XPath expressions [Issue #2328 - @dennus, @martinhsv]
• Encode two special chars in error.log output [Issue #2854 - @airween, @martinhsv]
• Add JIT support for PCRE2 [Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv]
• Support comments in ipMatchFromFile file via '#' token [Issue #2554 - @tomsommer, @martinhsv]
• Use name package name libmaxminddb with pkg-config [Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout]
• Fix: FILES_TMP_CONTENT collection key should use part name [Issue #2831 - @airween]
• Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro [Issue #2806 - @hughmcmaster]
• During configure, do not check for pcre if pcre2 specified [Issue #2750 - @dvershinin, @martinhsv]
• Use pkg-config to find libxml2 first [Issue #2714 - @hughmcmaster]
• Fix two rule-reload memory leak issues [Issue #2801 - @Abce, @martinhsv]
• Correct whitespace handling for Include directive [Issue #2800 - @877509395, @martinhsv]

Security impacting issues

• Fix: FILES_TMP_CONTENT may sometimes lack complete content [Issue #2857 - gieltje, @airween, @dune73, @martinhsv]

New features

• Support configurable limit on number of arguments processed [Issue #2844 - @jleproust, @martinhsv]
• Support for PCRE2 [Issue #2840, #2833, #2737, #2827 - @martinhsv]

Bug fixes and enhancements

• Silence compiler warning about discarded const [Issue #2843 - @Steve8291, @martinhsv]
• Use uid for user if apr_uid_name_get() fails [Issue #2046 - @arminabf, @marcstern]
• Fix: handle error with SecConnReadStateLimit configuration [Issue #2815, #2834 - @marcstern, @martinhsv]]
• Adjustment of previous fix for log messages [Issue #2832 - @marcstern, @erkia]
• Mark apache error log messages as from mod_security2 [Issue #2781 - @erkia]
• Use pkg-config to find libxml2 first [Issue #2818 - @hughmcmaster]

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

• Adjust parser activation rules in modsecurity.conf-recommended [Issue #2799 - @terjanq, @martinhsv]
• Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2797 - @terjanq, @martinhsv]

Bug fixes

• Limit rsub null termination to where necessary [Issue #2794 - @marcstern, @martinhsv]
• IIS: Update dependencies for next planned release [@martinhsv]
• XML parser cleanup: NULL duplicate pointer [Issue #2760 - @martinhsv]
• Properly cleanup XML parser contexts upon completion [Issue #2239 - @argenet]
• Fix memory leak in streams [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW]
• Fix: negative usec on log line when data type long is 32b [Issue #2753 - @ABrauer-CPT, @martinhsv]
• mlogc log-line parsing fails due to enhanced timestamp [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv]
• Allow no-key, single-value JSON body [Issue #2735 - @marcstern, @martinhsv]
• Set SecStatusEngine Off in modsecurity.conf-recommended [Issue #2717 - @un99known99, @martinhsv]
• Fix memory leak that occurs on JSON parsing error [Issue #2236 @argenet, @vloup, @martinhsv]
• Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 @martinhsv]
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

• Adjust parser activation rules in modsecurity.conf-recommended [Issue #2796 - @terjanq, @martinhsv]
• Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2795 - @terjanq, @martinhsv]

Bug fixes

• Prevent LMDB related segfault [Issue #2755, #2761 - @dvershinin]
• Fix msc_transaction_cleanup function comment typo [Issue #2788 - @lookat23]
• Fix: MULTIPART_INVALID_PART connected to wrong internal variable [Issue #2785 - @martinhsv]
• Restore Unique_id to include random portion after timestamp [Issue #2752, #2758 - @datkps11, @martinhsv]

New features

• Support PCRE2 [Issue #2668 - @martinhsv]
• Support SecRequestBodyNoFilesLimit [Issue #2670 - @airween, @martinhsv]
• Add ctl:auditEngine action support [Issue #2606 - @alekravch, @martinhsv]

Bug fixes

• Move PCRE2 match block from member variable [@martinhsv]
• Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended [Issue #2738 - @jleproust, @martinhsv]
• Fix memory leak when concurrent log includes REMOTE_USER [Issue #2727 - @liudongmiao]
• Fix LMDB initialization issues [Issue #2688 - @ziollek @martinhsv]
• Fix initcol error message wording [Issue #2732 - @877509395, @martinhsv]
• Tolerate other parameters after boundary in multipart C-T [Issue #1900 - @martinhsv]
• Add DebugLog message for bad pattern in rx operator [Issue #2723 - @martinhsv]
• Fix misuses of LMDB API [Issue #2601, #2602 - @hyc]
• Fix duplication typo in code comment [Issue #2677 - @gleydsonsoares]
• Fix multiMatch msg, etc, population in audit log [Issue #2573 - @Sachin-M-Desai , @martinhsv]
• Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. [Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv]
• Adjust confusing variable name in setRequestBody method [Issue #2635 - @Mesar-Ali , @martinhsv]
• Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 - @martinhsv]
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv]

Security issue

• Support configurable limit on depth of JSON parsing (possible DoS issue) [@theMiddleBlue, @airween, @dune73, @martinhsv]

Notes

• For Windows, as we are not aware of anyone using the 32-bit installer, only the 64-bit installer is now included
• Users of ModSecurity that cannot update immediately may wish to consult issue #2647, or the related blog post, for mitigation suggestions.

Security issue

• Support configurable limit on depth of JSON parsing (possible DoS issue) [@theMiddleBlue, @martinhsv]