We are happy to announce that cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

• ea-modsec2-rules-owasp-crs
  • EA-10944: Update ea-modsec2-rules-owasp-crs from v3.3.2 to v3.3.4
    • CVE-2022-39955 – Multiple charsets defined in Content-Type header
    • CVE-2022-39956 – Content-Type or Content-Transfer-Encoding MIME header fields abuse
    • CVE-2022-39957 – Charset accept header field resulting in response rule set bypass
    • CVE-2022-39958 – Small range header leading to response rule set bypass

• ea-nginx
  • EA-10874: Remove fallback logic in scripts::ea_nginx::_get_application_paths()
  • EA-10574: Remove deprecated configure option –with-ipv6
  • EA-11069: Increase open files limit for master and worker processes
  • EA-11048: Move ‘/var/log/nginx’ to a backup location during uninstall

• ea-nginx-njs
  • EA-11059: Update ea-nginx-njs from v0.7.8 to v0.7.9

• scl-php73
  • EA-11039: Ensure php.ini is marked as a config file on ubuntu

• ea-php74
  • EA-11039: Ensure php.ini is marked as a config file on debian based systems

• ea-php80
  • EA-11074: Update ea-php80 from v8.0.25 to v8.0.26
  • EA-11039: Ensure php.ini is marked as a config file on debian based systems

• ea-php80-meta
  • EA-11039: Ensure php.ini is marked as a config file on debian based systems

• ea-php81
  • EA-11070: Update ea-php81 from v8.1.12 to v8.1.13
  • EA-11039: Ensure php.ini is marked as a config file on debian based systems

• ea-php81-meta
  • EA-11070: Update ea-php81 from v8.1.12 to v8.1.13

• ea-ruby27
• ea-ruby27-meta
• ea-ruby27-rubygem-mizuho
• ea-ruby27-rubygem-nokogiri
• ea-ruby27-rubygem-rack
• ea-ruby27-rubygem-sqlite3
  • EA-11073: Update ea-ruby27 from v2.7.6 to v2.7.7
  • CVE-2021-33621: HTTP response splitting in CGI

• ea-tomcat85
  • EA-11072: Update ea-tomcat85 from v8.5.83 to v8.5.84

• mod_security2
  • EA-11068: Update mod_security2 from v2.9.3 to v2.9.6
    • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956 partial rule set bypass for HTTP multipart requests
    • Security: Support configurable limit on depth of JSON parsing (possible DoS issue)

• scl-ioncube12
  • EA-11079: Update scl-ioncube12 from v12.0.2 to v12.0.3

This release includes a security patch that has been issued a fix for a CVE (Common Vulnerabilities and Exposures), the details of which are included below.

SUMMARY
cPanel, L.L.C. has updated packages for EasyApache 4 with ModSecurity version 2.9.6, OWASP ModSecurity Rule Set (CRS) version 3.3.4, and Ruby version 2.7.7. This release addresses vulnerabilities related to CVE-2022-39955, CVE-2022-39956, CVE-2022-39957, CVE-2022-39958, and CVE-2021-33621. We strongly encourage all ModSecurity users to update to version 2.9.6, all OWASP CRS users to update to version 3.3.4, and all Ruby users to update to version 2.7.7.

AFFECTED VERSIONS
All versions of ModSecurity through 2.9.5.
All versions of OWASP CRS through 3.3.3.
All versions of Ruby through 2.7.6.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2022-39955 – CRITICAL
OWASP CRS 3.3.4
Fixed vulnerability related to CVE-2022-39955.

CVE-2022-39956 – CRITICAL
ModSecurity 2.9.6
Fixed vulnerability related to CVE-2022-39956.

OWASP CRS 3.3.4
Fixed vulnerability related to CVE-2022-39956.

CVE-2022-39957 – HIGH
OWASP CRS 3.3.4
Fixed vulnerability related to CVE-2022-39957.

CVE-2022-39958 – HIGH
OWASP CRS 3.3.4
Fixed vulnerability related to CVE-2022-39958.

CVE-2021-33621 – HIGH
Ruby 2.7.7
Fixed vulnerability related toCVE-2021-33621.

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on December 7, 2022, with ModSecurity version 2.9.6, OWASP ModSecurity Rule Set (CRS) version 3.3.4, and Ruby version 2.7.7. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39955
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39957
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39958
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33621
https://raw.githubusercontent.com/coreruleset/coreruleset/v3.3/master/CHANGES
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6
https://www.ruby-lang.org/en/news/2022/11/24/ruby-2-7-7-released/

https://news.cpanel.com/wp-content/uploads/2022/12/EA4-2022-12-7-CVE.signed.txt