Bug 1195450 – VUL-0: CVE-2021-42717: apache2-mod_security2: crafted JSON objects with nesting could result in the web server being unable to service legitimate requests

Bug 1195450 - (CVE-2021-42717) VUL-0: CVE-2021-42717: apache2-mod_security2: crafted JSON objects with nesting could result in the web server being unable to service legitimate requests

(CVE-2021-42717)
Summary:	VUL-0: CVE-2021-42717: apache2-mod_security2: crafted JSON objects with nesti...

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Danilo Spinella
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/316704/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-42717:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-02-02 15:40 UTC by Carlos López
Modified:	2022-02-03 12:28 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-02-02 15:40:17 UTC

rh#2031841

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.

Reference:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2031841
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42717
http://www.debian.org/security/-1/dsa-5023
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42717
http://www.cvedetails.com/cve/CVE-2021-42717/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

Comment 1 Carlos López 2022-02-02 15:54:42 UTC

The following codestreams include the JSON code, but do not contain the fix [0] (included in v2.9.5 and v3.0.6):
 - SUSE:SLE-12-SP1:Update
 - SUSE:SLE-15:Update
 - SUSE:SLE-15-SP4:Update
 - openSUSE:Factory

However, the original report [1] specifies that if modsecurity is built without yajl, the package is not vulnerable. I do not see the `--with-yajl` flag in the .spec file for these codestreams.

@Danilo, could you please confirm whether we build with or without JSON support? Thanks.

[0] https://github.com/SpiderLabs/ModSecurity/commit/41918335fa4c74fba46a986771a5a6cb457070c4
[1] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/

Comment 2 Danilo Spinella 2022-02-03 11:43:45 UTC

I can confirm that we build apache2-mod-security2 without support for yajl library.

Comment 3 Carlos López 2022-02-03 12:26:47 UTC

Thanks for the quick response Danilo. Closing the issue, as builds without JSON support are not affected.