Resolved upgrade owasp modsec to 3.2.1 or 3.3.2 - severe security breach in 3.0.5 and 3.2.0 ( cvss score 8 + )

[josephGW]

Hello Devs,

Actual plesk owasp modsec version is 3.2 from 2019 and 3.0.5 for apache.
Could you update to the last version ? ( 3.3.2 ) or to 3.2.1 because
OWASP modsec 3.05 and 3.2.0 have a severe security breach ( cvss score 8 +).
It has been patched in 3.2.1 or 3.3.2.

And owasp crs 3.05 is EOL, it's not supported anymore.


CVE-2021-35368 – CRS Request Body Bypass (Update) – OWASP ModSecurity Core Rule Set

I've posted a suggestion : upgrade owasp modsec 3.3.2


Thanks

 

[IgorG]

What is your Plesk version and version of plesk-modsecurity-crs package?

In the latest Plesk 18.0.40 Update 1 we have:

[root@ppu18-0 ~]# rpm -qa plesk-modsecurity-crs
plesk-modsecurity-crs-3.3.2-2.centos.7+p18.0.38.0+t210825.1032.x86_64

 

[josephGW]

Hello Igor,

Thanks for your quick answer,
I'm using plesk 18.0.40 Update 1 latest updates with ubuntu 20.04.3 latest updates.

I saw in obsidian changelog that owasp has been updated to 3.2.0, no updates from that date noted in changelog - 30 August 2021 ( another screen ) :

Sorry i verified in modsec folder, nginx rules are in 3.3.2
I didn't verified, i just looked in the changelog before posting.


You can close the post request.

I'll do more checkings before posting in the future.

Sorry for the time passed to answer.