Resolved upgrade owasp modsec to 3.2.1 or 3.3.2 - severe security breach in 3.0.5 and 3.2.0 ( cvss score 8 + )

josephGW · Dec 9, 2021

Hello Devs,

Actual plesk owasp modsec version is 3.2 from 2019 and 3.0.5 for apache.
Could you update to the last version ? ( 3.3.2 ) or to 3.2.1 because
OWASP modsec 3.05 and 3.2.0 have a severe security breach ( cvss score 8 +).
It has been patched in 3.2.1 or 3.3.2.

And owasp crs 3.05 is EOL, it's not supported anymore.

CVE-2021-35368 – CRS Request Body Bypass (Update) – OWASP ModSecurity Core Rule Set

I've posted a suggestion : upgrade owasp modsec 3.3.2

Thanks

IgorG · Dec 9, 2021

What is your Plesk version and version of plesk-modsecurity-crs package?

In the latest Plesk 18.0.40 Update 1 we have:

[root@ppu18-0 ~]# rpm -qa plesk-modsecurity-crs
plesk-modsecurity-crs-3.3.2-2.centos.7+p18.0.38.0+t210825.1032.x86_64

josephGW · Dec 10, 2021

Hello Igor,

Thanks for your quick answer,
I'm using plesk 18.0.40 Update 1 latest updates with ubuntu 20.04.3 latest updates.

I saw in obsidian changelog that owasp has been updated to 3.2.0, no updates from that date noted in changelog - 30 August 2021 ( another screen ) :

Sorry i verified in modsec folder, nginx rules are in 3.3.2
I didn't verified, i just looked in the changelog before posting.

You can close the post request.

I'll do more checkings before posting in the future.

Sorry for the time passed to answer.

Resolved upgrade owasp modsec to 3.2.1 or 3.3.2 - severe security breach in 3.0.5 and 3.2.0 ( cvss score 8 + )

josephGW

New Pleskian

IgorG

Plesk addicted!

josephGW

New Pleskian