NGINX.COM

Tag: CVE

Using ModSecurity to Virtually Patch Apache Struts CVE-2017-5638

Many security vulnerabilities are found in libraries used by application code. When it's impractical to quickly deploy a fix to code in a library, you may be able to use ModSecurity to intercept an exploit, “virtually patching" the affected code until you can upgrade the affected libraries. The Apache Struts application library vulnerability (CVE-2017-5638), which…

Continue reading ›

Mitigating the HTTPoxy Vulnerability with NGINX

On July 18th, a vulnerability named ‘HTTPoxy’ was announced, affecting some server‑side web applications that run in CGI or CGI‑like environments, such as some FastCGI configurations. Languages known to be affected so far include PHP, Python, and Go. A number of CVEs have been assigned, covering specific languages and CGI implementations: Apache HTTP Server (CVE-2016-5387)…

Continue reading ›

Protecting NGINX and NGINX Plus from the POODLE Attack Against SSLv3 (CVE-2014-3566)

A recently reported vulnerability in version 3 of the SSL protocol (SSLv3) can be exploited in a man‑in‑the‑middle attack to extract parts of a plain‑text transmission that was encrypted with HTTPS. Google researchers have published a detailed explanation describing how such an attack might be mounted. This is not a vulnerability in any implementation of SSL/TLS, but…

Continue reading ›

NGINX and the CVE-2014-6271 Bash Advisory

On September 24, 2014, a vulnerability was revealed in the Bash shell interpreter. The details are described in CVE-2014-6271. Note that there is a follow-up vulnerability (CVE-2014-7169) that has not been patched as of this writing. This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system,…

Continue reading ›

NGINX and the 5 June 2014 OpenSSL Security Advisory

What is the Impact on NGINX of CVE‑2014‑0224 and Related OpenSSL Vulnerabilities? The OpenSSL project announced fixes to seven security vulnerabilities on 5 June 2014. The details are described in their Security Advisory. The vulnerabilities potentially affect any server application (including NGINX and NGINX Plus) that uses OpenSSL to terminate SSL/TLS traffic. They can be exploited…

Continue reading ›

TRY NGINX PLUS!

Download a 30 day free trial and see what you've been missing.

* = Required

We'll take care of your data.

X

Got a question for the NGINX team?

< back

* = Required

X

Tags

No More Tags to display