CVE-2021-42717
📋 TL;DR
CVE-2021-42717 is a denial-of-service vulnerability in ModSecurity's JSON parser where excessively nested JSON objects cause excessive CPU consumption and process blocking. This affects ModSecurity 2.8.0-2.9.4 and 3.x-3.0.5 when processing JSON payloads. Any web server using vulnerable ModSecurity versions with JSON parsing enabled is affected.
💻 Affected Systems
- ModSecurity
- NGINX with ModSecurity module
- Apache with ModSecurity module
- Other web servers using ModSecurity
📦 What is this software?
Modsecurity by Trustwave
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where all worker processes become occupied processing malicious JSON, making the web server unavailable to legitimate users for extended periods.
Likely Case
Partial service degradation where some worker processes are tied up, causing increased latency and reduced capacity for legitimate requests.
If Mitigated
Minimal impact with proper request size limits, rate limiting, and updated ModSecurity rules in place.
🎯 Exploit Status
Exploitation requires sending HTTP requests with deeply nested JSON payloads. Public proof-of-concept code exists demonstrating the attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ModSecurity 2.9.5 and ModSecurity 3.0.6
Vendor Advisory: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/
Restart Required: Yes
Instructions:
1. Update ModSecurity to version 2.9.5 or 3.0.6 or later. 2. For NGINX: update the ModSecurity module. 3. For Apache: update the ModSecurity module. 4. Restart the web server to apply changes.
🔧 Temporary Workarounds
Limit JSON nesting depth
allConfigure ModSecurity to reject JSON with excessive nesting depth
SecRule ARGS "@validateJsonDepth 100" "id:1001,phase:2,deny,status:400,msg:'JSON nesting depth exceeded'"
SecRule REQUEST_BODY "@validateJsonDepth 100" "id:1002,phase:2,deny,status:400,msg:'JSON nesting depth exceeded'"
Disable JSON parsing
allTemporarily disable JSON parsing in ModSecurity if not required
SecRuleRemoveById 200000
SecRuleRemoveById 200001
🧯 If You Can't Patch
- Implement WAF rules to block requests with deeply nested JSON patterns
- Configure request size limits at the web server level to reject large JSON payloads
🔍 How to Verify
Check if Vulnerable:
Check ModSecurity version: modsecurity -v or examine web server configuration for ModSecurity versionCheck Version:
modsecurity -v 2>/dev/null || grep -i modsecurity /path/to/nginx.conf /path/to/apache.confVerify Fix Applied:
Verify ModSecurity version is 2.9.5+ or 3.0.6+ and test with a nested JSON payload (use caution)📡 Detection & Monitoring
Log Indicators:
- High CPU usage by web server processes
- Requests with large JSON payloads taking excessive time
- ModSecurity rule 949110 or 980130 triggers
Network Indicators:
- HTTP POST/PUT requests with Content-Type: application/json and unusually large size
- Multiple requests with similar JSON structure in short time
SIEM Query:
source="web_server_logs" AND (msg="JSON parsing" OR msg="ModSecurity") AND (duration>10s OR size>200KB)🔗 References
- https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html
- https://www.debian.org/security/2021/dsa-5023
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00042.html
- https://www.debian.org/security/2021/dsa-5023
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-dos-vulnerability-in-json-parsing-cve-2021-42717/
