OESA-2021-1464

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1464

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2021-1464.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2021-1464

Upstream

CVE-2021-42717

Published

2021-12-17T11:03:25Z

Modified

2025-08-12T05:10:25.194430Z

Summary

mod_security security update

Details

This software is also called Modsec,it is an open-source web application firewall. It is designed for Apache HTTP Server.ModSecurity is commonly deployed to provide protections against generic classed of vulnerabilities.The install of this package is easy and you can read the README.TXT for more information.

Security Fix(es):

ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.(CVE-2021-42717)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / mod_security

Package

Name: mod_security
Purl: pkg:rpm/openEuler/mod_security&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.5-1.oe1

Ecosystem specific

{
    "aarch64": [
        "mod_security-debugsource-2.9.5-1.oe1.aarch64.rpm",
        "mod_security-2.9.5-1.oe1.aarch64.rpm",
        "mod_security-debuginfo-2.9.5-1.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "mod_security-debugsource-2.9.5-1.oe1.x86_64.rpm",
        "mod_security-2.9.5-1.oe1.x86_64.rpm",
        "mod_security-debuginfo-2.9.5-1.oe1.x86_64.rpm"
    ],
    "src": [
        "mod_security-2.9.5-1.oe1.src.rpm"
    ]
}

openEuler:20.03-LTS-SP2 / mod_security

Package

Name: mod_security
Purl: pkg:rpm/openEuler/mod_security&distro=openEuler-20.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.5-1.oe1

Ecosystem specific

{
    "aarch64": [
        "mod_security-debuginfo-2.9.5-1.oe1.aarch64.rpm",
        "mod_security-2.9.5-1.oe1.aarch64.rpm",
        "mod_security-debugsource-2.9.5-1.oe1.aarch64.rpm"
    ],
    "x86_64": [
        "mod_security-2.9.5-1.oe1.x86_64.rpm",
        "mod_security-debugsource-2.9.5-1.oe1.x86_64.rpm",
        "mod_security-debuginfo-2.9.5-1.oe1.x86_64.rpm"
    ],
    "src": [
        "mod_security-2.9.5-1.oe1.src.rpm"
    ]
}