ModSecurity DoS Vulnerability in JSON Parsing (CVE-2021-42717) · Issue #2647 · owasp-modsecurity/ModSecurity (original) (raw)

Some individuals in the ModSecurity community will have already taken note that new releases have been created for both the v2 branch and the v3 branch, and that the content in each case is listed as addressing a security issue.

This github issue is being created to provide some interim information until a somewhat more detailed blog post is available (which is expected within the next 24 hours at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ ). The main specific motivation being to suggest a few mitigation strategies.

The ModSecurity team received a responsible disclosure from @theMiddleBlue about a possible DoS issue in ModSecurity v3 when JSON parsing depth becomes very large. Assistance was later also received from @airween in confirming that the issue likewise exists in v2 and in validating the ultimate fix in that branch. Thanks to both. The DoS in this case is that an attacker could potentially prevent a web server from responding to legitimate requests in a timely manner.

At this early stage of public disclosure, I will omit further details except as relate directly to mitigation strategies. Upgrading the software is the primary recommendation, but the mitigation strategies below may be useful for various cases where upgrading immediately is not possible.

Mitigation Strategies:

If your web applications do not expect JSON request bodies, you can simply disable any rules that activate the JSON parser. The rule that does this by default in modsecurity.conf-recommended is 200001.

Most other mitigation strategies are likely to take advantage of the fact that to create large JSON parsing depth necessitates using a certain minimum number of characters. This implies that this large-depth issue can potentially be controlled by examining total request size.

If, for example, you do have some applications that accept JSON request bodies, but that in legitimate requests they should all be relatively small, you could create a phase:1 chained rule that rejects the request if the JSON parser has been activated and the value in the Content-Length header is larger than a chosen threshold (perhaps 10000 or 20000).

ModSecurity v2 users can potentially also make use of SecRequestBodyNoFilesLimit if other request types are also within your chosen threshold.

As a special note to users still on versions <2.9.3: Although the problem exists in principle in earlier versions like 2.9.2, it does appear to take a larger request body size to cause noticeable problems. Whether using SecRuleBodyNoFilesLimit, or a chained rule that looks at Content-Length, most installations on such older versions can likely mitigate the issue successfully with somewhat higher thresholds (perhaps 40000 or 50000).