CVE-2023-38285: 
NixOS vulnerability analysis and mitigation

Trustwave ModSecurity 3.x before version 3.0.10 contains a vulnerability related to inefficient algorithmic complexity in four transformation actions. The vulnerability was discovered and reported in July 2023, affecting the ModSecurity Web Application Firewall (WAF) engine. This issue specifically impacts ModSecurity v3 installations, while ModSecurity v2 is not affected (Trustwave Blog).

The vulnerability affects four specific transformation actions: removeWhitespace, removeNull, replaceNull, and removeCommentsChar. While these transformations are functionally correct, they implement inefficient solutions that can be exploited when processing specially crafted HTTP requests. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Trustwave Blog).

When exploited, the vulnerability can cause significant processing delays, potentially leading to a denial of service condition. Even with default configuration limits in place (such as SecRequestBodyNoFilesLimit set to 131072), multiple executions of these transformations could result in several seconds of delay for a single HTTP transaction. If multiple malicious requests are processed simultaneously, the webserver may become unable to handle legitimate requests effectively (Trustwave Blog).

For installations where immediate upgrade to version 3.0.10 is not feasible, several mitigation options are available. Administrators can implement ModSecurity rules to limit the size of values being processed while allowing legitimate content. For example, a rule can be added to limit ARGS collection size: SecRule ARGS "@gt 16000" "id:1,phase:2,t:length,deny,status:403,msg:'ARG exceeds length limit'". Additionally, reducing the SecRequestBodyNoFilesLimit configuration value can help minimize potential delays from worst-case inputs (Trustwave Blog).