NGINX.COM

On 14 September 2020, the OWASP ModSecurity Core Rule Set (CRS) team published details of a vulnerability in ModSecurity. The vulnerability has been assigned the identifier CVE-2020-15598, but details have not been published as of this writing. The nature of the issue is disputed by Trustwave, the maintainer of the ModSecurity project, who has proposed mitigations for the problematic behavior.

The issue can affect the NGINX Plus ModSecurity module, which is based on the current ModSecurity 3.0.4 release. The NGINX team at F5 worked with the reporter and have validated and applied their recommended update to recent releases of the NGINX Plus ModSecurity module (for NGINX Plus R20, R21, and R22).

For more details on the issue, please refer to the following resources:

The NGINX product team at F5 is grateful to Christian Folini at NetNEA and CRS developer Ervin Hegedüs for their support to create a patch for the NGINX Plus ModSecurity module. We strongly encourage NGINX Plus subscribers to upgrade their NGINX Plus ModSecurity module to the latest version for NGINX Plus R20, R21, or R22.

Subscribers who are running versions 20-1.0.0-12, 21-1.0.1-2, or 22-1.0.1-2 or later of the nginx-plus-module-modsecurity package are protected from this issue. To confirm the installed version, you can run the following command:

  • Ubuntu and related platforms:

  • # apt list --installed nginx-plus-module-modsecurity
    Listing... Done
    nginx-plus-module-modsecurity/stable,now 22+1.0.1-2~focal amd64 [installed]
  • Red Hat Enterprise Linux and related platforms:

    # yum list --installed nginx-plus-module-modsecurity
    nginx-plus-module-modsecurity.x86_64  22+1.0.1-2.el8.ngx    @nginx-plus

Please reach out to your NGINX support representative at F5 if you require any assistance.

If using a private, open source build of ModSecurity, refer to the official Trustwave SpiderLabs ModSecurity repository on GitHub, consider the alternative mitigations proposed by Trustwave, and evaluate the patch provided by the OWASP CRS team. If you use ModSecurity from another source, please contact the maintainer of that source or consider the mitigations described by the OWASP CRS team and TrustWave.

Hero image
免费白皮书:
NGINX 企阅版全解析

助力企业用户规避开源治理风险,应对开源使用挑战

关于作者

Owen Garrett

产品管理高级总监

Owen is a senior member of the NGINX Product Management team, covering open source and commercial NGINX products. He holds a particular responsibility for microservices and Kubernetes‑centric solutions. He’s constantly amazed by the ingenuity of NGINX users and still learns of new ways to use NGINX with every discussion.

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。