Author Topic: ModSecurity Security Bug  (Read 3511 times)

0 Members and 1 Guest are viewing this topic.

Offline
*****
ModSecurity Security Bug
« on: November 22, 2020, 04:08:01 PM »
the servers had a DDoS attack yesterday, while researching after it was taken care of, I found out ModSecurity has a Critical DoS bug in it Official Advisory for CVE-2020-15598.

From versions ModSecurity v3.0.0 to ModSecurity v3.0.3
ModSecurity v3.0.4 (patch for this version available)

Looking at CWP, it looks like it has version 2.9.1.

ModSecurity for Apache/2.9.1 (http://www.modsecurity.org/) configured.
[Sun Nov 22 15:56:26.417997 2020] [:notice] [pid 2593432:tid 139878257435200] ModSecurity: APR compiled version="1.6.2"; loaded version="1.6.2"
[Sun Nov 22 15:56:26.418006 2020] [:notice] [pid 2593432:tid 139878257435200] ModSecurity: PCRE compiled version="8.42 "; loaded version="8.42 2018-03-20"
[Sun Nov 22 15:56:26.418010 2020] [:notice] [pid 2593432:tid 139878257435200] ModSecurity: LIBXML compiled version="2.9.7"
[Sun Nov 22 15:56:26.418012 2020] [:notice] [pid 2593432:tid 139878257435200] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.

Anyone know if this is affected, or how to upgrade ModSecurity on CWP?

Thanks