Modsecurity: RHEL package does not have working JSON support

Created on 23 May 2018  路  7Comments  路  Source: SpiderLabs/ModSecurity

Hi,

I have been trying to get the recently released RHEL modsecurity 2.9 package (https://access.redhat.com/errata/RHBA-2018:0908) to process JSON requests but am receiving the error: Message: JSON support was not enabled.
I believe this is because the YAJL2 library is not installed by the package. Possibly because there does not seem to be a yajl-devel package available for RHEL.
I believe this is also an issue with the Amazon linux package.
Does anyone else have this issue?

Nick

2.x Platform - Apache RIP - Type - Usage RIP - release-2.9.2

Most helpful comment

Hi @nmiller12,

I didn't had the chance of testing this on my own, but the problem is really the absence of the YAJL library there.

Other than the dependencies list, I've checked the spec file for mod_security-2.9.2-1.el7.src.rpm and it's missing YAJL:

%build
%configure --enable-pcre-match-limit=1000000 \
           --enable-pcre-match-limit-recursion=1000000 \
           --with-apxs=%{_httpd_apxs} \
%if %with_mlogc
       --enable-mlogc \
%else
       --disable-mlogc \
%endif
       --enable-collection-global-lock

This might be due the missing yajl-devel package on RHEL, but CentOS has such package and both the RPM dependency and the spec file for this package is also missing YAJL, so this might be an error or it was kept this way for consistency between CentOS and RHEL.

Unfortunately, we don't have much control on how the packages are delivered by the distros, but if you would like to get this sorted and support the community I would highly encourage you to get in touch with the distro packager in order to get this fixed.

I think for this package in particular, based on the package changelog, it could be Daniel Kopecek dkopecek@redhat.com, but maybe @bostrt could also help :)

If support from our ModSecurity's side is needed let us know and we will happily help :)

All 7 comments

Hi @nmiller12,

I didn't had the chance of testing this on my own, but the problem is really the absence of the YAJL library there.

Other than the dependencies list, I've checked the spec file for mod_security-2.9.2-1.el7.src.rpm and it's missing YAJL:

%build
%configure --enable-pcre-match-limit=1000000 \
           --enable-pcre-match-limit-recursion=1000000 \
           --with-apxs=%{_httpd_apxs} \
%if %with_mlogc
       --enable-mlogc \
%else
       --disable-mlogc \
%endif
       --enable-collection-global-lock

This might be due the missing yajl-devel package on RHEL, but CentOS has such package and both the RPM dependency and the spec file for this package is also missing YAJL, so this might be an error or it was kept this way for consistency between CentOS and RHEL.

Unfortunately, we don't have much control on how the packages are delivered by the distros, but if you would like to get this sorted and support the community I would highly encourage you to get in touch with the distro packager in order to get this fixed.

I think for this package in particular, based on the package changelog, it could be Daniel Kopecek dkopecek@redhat.com, but maybe @bostrt could also help :)

If support from our ModSecurity's side is needed let us know and we will happily help :)

@nmiller12 there are two separate issues for this filed in RH's bugzilla:

https://bugzilla.redhat.com/show_bug.cgi?id=1372797 (RHEL 6)
https://bugzilla.redhat.com/show_bug.cgi?id=1375360 (RHEL 7)

The RHEL 6 one was closed, check the first reply for why.

I'll defer to @dkopecek regarding the RHEL 7 bz closure.

I should also mention that you should be able to compile mod_security on RHEL 7 with JSON support enabled since there is a yajl-devel 2.x available.

Thanks for the quick reply @victorhora. I will check with Daniel Kopecek to see if this issue can be resolved. From the links bostrt has added, hope of a fix is not high:
"Will JSON support be included?
mod_security utilizes libyajl for JSON support. However, since the libyajl project is no longer maintained in upstream community, Red Hat cannot maintain an enterprise ready product by linking libyajl into additional applications like mod_security." https://access.redhat.com/solutions/2209421
@bostrt Thanks, yes I am able to compile mod_security on RHEL7 with JSON support using the yajl-devel CentOS package.

Ok. Closing this one based on @bostrt and @nmiller12 comments.

Thanks @bostrt!

I have heard back from Daniel Kopecek who confirms that the modsecurity RHEL package will not have JSON support because the yajl project is no longer maintained.
Maybe modsecurity will use a different JSON library in the future that meets the RHEL requirements.

It appears that YAJL is still used in ModSecurity v3, since this exists: https://github.com/SpiderLabs/ModSecurity/blob/v3/master/build/yajl.m4

Are there any plans to eliminate the use of YAJL in ModSecurity since its not available on RHEL/Centos?

Or, is the modsecurity v3 library built in such a way that if simply install YAJL ourselves on our Centos instance, it will start using it? (i.e., we don't have to recompile modsecurity v3 ourselves)? If so, is there any documentation about this?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

rainerjung picture rainerjung  路  4Comments

venkibits picture venkibits  路  4Comments

DeoMortis picture DeoMortis  路  4Comments

jeremyjpj0916 picture jeremyjpj0916  路  5Comments

SteffenAL picture SteffenAL  路  5Comments