Debian Security Advisory
DLA-3031-1 modsecurity-apache -- LTS security update
- Date Reported:
- 28 May 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-42717.
- More information:
It was discovered that there was a potential resource exhaustion attack in modsecurity-apache, an Apache module which inspects HTTP requests with the aim of preventing typical web application attacks such as XSS and SQL.
ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.
For Debian 9
Stretch, this problem has been fixed in version 2.9.1-2+deb9u1.
We recommend that you upgrade your modsecurity-apache packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS