Bug 1195450 (CVE-2021-42717)

Summary: VUL-0: CVE-2021-42717: apache2-mod_security2: crafted JSON objects with nesting could result in the web server being unable to service legitimate requests
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Danilo Spinella <danilo.spinella>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: danilo.spinella, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/316704/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-42717:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2022-02-02 15:40:17 UTC 
rh#2031841

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Reference:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2031841
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42717
http://www.debian.org/security/-1/dsa-5023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42717
http://www.cvedetails.com/cve/CVE-2021-42717/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/
Comment 1 Carlos López 2022-02-02 15:54:42 UTC 
The following codestreams include the JSON code, but do not contain the fix [0] (included in v2.9.5 and v3.0.6):
 - SUSE:SLE-12-SP1:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP4:Update
 - openSUSE:Factory

However, the original report [1] specifies that if modsecurity is built without yajl, the package is not vulnerable. I do not see the `--with-yajl` flag in the .spec file for these codestreams.

@Danilo, could you please confirm whether we build with or without JSON support? Thanks.

[0] https://github.com/SpiderLabs/ModSecurity/commit/41918335fa4c74fba46a986771a5a6cb457070c4
[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/
Comment 2 Danilo Spinella 2022-02-03 11:43:45 UTC 
I can confirm that we build apache2-mod-security2 without support for yajl library.
Comment 3 Carlos López 2022-02-03 12:26:47 UTC 
Thanks for the quick response Danilo. Closing the issue, as builds without JSON support are not affected.