ModSecurity Denial-of-Service Vulnerability in JSON Payload Processing

A denial-of-service vulnerability has been identified in ModSecurity versions through 2.9.8. The issue arises in the Apache2 module when the payload's content type is 'application/json' and at least one rule applies a 'sanitiseMatchedBytes' action. This combination can lead to excessive memory consumption, as the 'sanitiseMatchedBytes' action is applied repeatedly to each variable in the JSON payload, potentially causing an out-of-memory error after a few requests.

Impact

Exploitation of this vulnerability leads to high memory consumption, causing Apache to run out of memory and potentially crash.

Reproduction

To reproduce this vulnerability, create a JSON payload with a content type of 'application/json' that includes multiple items. Upload this payload to a server running ModSecurity with a rule that uses the 'sanitiseMatchedBytes' action. Monitor the Apache memory usage, which will increase significantly with each request, eventually leading to an out-of-memory error.

Remediation

Users can update to ModSecurity version 2.9.9, which includes a patch for this vulnerability. The update can be obtained from the ModSecurity GitHub repository.