[Editor – The NGINX ModSecurity WAF module for NGINX Plus officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life<.htmla> on our blog.]
On 14 September 2020, the OWASP ModSecurity Core Rule Set (CRS) team published details of a vulnerability in ModSecurity. The vulnerability has been assigned the identifier CVE-2020-15598, but details have not been published as of this writing. The nature of the issue is disputed by Trustwave, the maintainer of the ModSecurity project, who has proposed mitigations for the problematic behavior.
The issue can affect the NGINX ModSecurity WAF module for NGINX Plus, which is based on the current ModSecurity 3.0.4 release. The NGINX team at F5 worked with the reporter and has validated and applied their recommended update to recent releases of NGINX ModSecurity WAF (for NGINX Plus R20, R21, and R22).
For more details on the issue, please refer to the following resources:
- OWASP CRS team: CVE-2020-15598 – ModSecurity v3 Affected By DoS (Severity HIGH)
- Trustwave: ModSecurity, Regular Expressions and Disputed CVE-2020-15598
- Mitre.org: CVE-2020-15598 (currently reserved, not published)
The NGINX product team at F5 is grateful to Christian Folini at NetNEA and CRS developer Ervin Hegedüs for their support to create a patch for NGINX ModSecurity WAF. We strongly encourage NGINX Plus subscribers to upgrade their NGINX ModSecurity WAF module to the latest version for NGINX Plus R20, R21, or R22.
Subscribers who are running versions 20-1.0.0-12, 21-1.0.1-2, or 22-1.0.1-2 or later of the nginx-plus-module-modsecurity package are protected from this issue. To confirm the installed version, you can run the following command:
- Ubuntu and related platforms:
- Red Hat Enterprise Linux and related platforms:
Please reach out to your NGINX support representative at F5 if you require any assistance.
If using a private, open source build of ModSecurity, refer to the official Trustwave SpiderLabs ModSecurity repository on GitHub, consider the alternative mitigations proposed by Trustwave, and evaluate the patch provided by the OWASP CRS team. If you use ModSecurity from another source, please contact the maintainer of that source or consider the mitigations described by the OWASP CRS team and TrustWave.
[The NGINX ModSecurity WAF module for NGINX Plus officially went End-of-Sale as of April 1, 2022 and is transitioning to End-of-Life effective March 31, 2024. For more details, see F5 NGINX ModSecurity WAF Is Transitioning to End-of-Life<.htmla> on our blog.]
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring