CVE-2016-1182, CVE-2016-1181, CVE-2015-0899, CVE-2014-0114
47 views
Skip to first unread message
Matthias Apitz
Jan 10, 2022, 5:23:49 AM1/10/22
to ModSecurity Core Rule Set project, gu...@unixarea.de
Hello,
We have a Java written web application which uses (among other) struts 1.3.5, which you can call outdated, but has only 4-5 CVE:
31 CVE-2016-1182 DoS XSS 6.4
32 CVE-2016-1181 DoS Exec Code 6.8
38 CVE-2015-0899 Bypass 5.0
41 CVE-2014-0114 Exec Code 7.5
58 CVE-2012-1007 XSS 4.3
32 CVE-2016-1181 DoS Exec Code 6.8
38 CVE-2015-0899 Bypass 5.0
41 CVE-2014-0114 Exec Code 7.5
58 CVE-2012-1007 XSS 4.3
Out intention was to use mod_security2 as a WAF and use rules from the CRS to block attacks. But, the mentioned CVE are not found in coreruleset-3.4-dev/rules/*.conf.
Why? Are they to old?
What would be the best approach to get rules for these CVE security issues?
Thanks in advance
matthias
Christian Folini
Jan 10, 2022, 5:38:04 AM1/10/22
to Matthias Apitz, ModSecurity Core Rule Set project, gu...@unixarea.de
Hey Matthias,
CRS is a generic rule set. We do not do rules for every CVE that comes out -
and the documentation / rules file mention individual CVEs in a very
non-systematic way.
This all means that chances are CRS is detecting these as well.
It's probably easiest to find out by trying out the exploits in our public
sandbox:
https://coreruleset.org/20211209/introducing-the-crs-sandbox/
Cheers,
Christian
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/ff45852a-b584-4203-ac17-929a1a64f11en%40owasp.org.
CRS is a generic rule set. We do not do rules for every CVE that comes out -
and the documentation / rules file mention individual CVEs in a very
non-systematic way.
This all means that chances are CRS is detecting these as well.
It's probably easiest to find out by trying out the exploits in our public
sandbox:
https://coreruleset.org/20211209/introducing-the-crs-sandbox/
Cheers,
Christian
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/ff45852a-b584-4203-ac17-929a1a64f11en%40owasp.org.
Matthias Apitz
Jan 10, 2022, 8:14:11 AM1/10/22
to ModSecurity Core Rule Set project, Christian Folini, ModSecurity Core Rule Set project, Matthias Apitz
Hello Christian,
Thanks for your kind reply. The sandbox is a good approach and helps to do tests without
setting up an own installation with Apache+mod_secure2+rules. The problem is that I do not
have any exploits to send them with curl to the sandbox. The CVE's are noted here:
but I do not have any exploit for any of the 4 CVE's.
Any ideas about how to get such exploits? Thanks
matthias
Christian Folini
Jan 10, 2022, 8:21:40 AM1/10/22
to Matthias Apitz, ModSecurity Core Rule Set project, Matthias Apitz
Hey Matthias,
We share the same problem very often.
Sometimes they come with the advisory as an indicator of compromise to check
in the logs. Sometimes in an accompanying blog post that explains the
vulnerability in detail. But very often the vendor keeps it back, the
person who did the discovery is cautious to not inventivize any criminals and
sometimes a proof of concept does not even exist.
Which brings us to the situation where we think we might be covering for a
certain vulnerability but we can not tell for sure and you are left on your
own devices.
I understand that this unsatisfying, but it would indeed be a separate project
of its own to try and document this for 20+K vulnerabilities every year. Or a
possible differentiator for a commercial CRS integrator that keeps an overview
in order to share with its customers.
Best,
Christian
We share the same problem very often.
Sometimes they come with the advisory as an indicator of compromise to check
in the logs. Sometimes in an accompanying blog post that explains the
vulnerability in detail. But very often the vendor keeps it back, the
person who did the discovery is cautious to not inventivize any criminals and
sometimes a proof of concept does not even exist.
Which brings us to the situation where we think we might be covering for a
certain vulnerability but we can not tell for sure and you are left on your
own devices.
I understand that this unsatisfying, but it would indeed be a separate project
of its own to try and document this for 20+K vulnerabilities every year. Or a
possible differentiator for a commercial CRS integrator that keeps an overview
in order to share with its customers.
Best,
Christian
Reply all
Reply to author
Forward
0 new messages