We have released updates to NGINX Open Source, NGINX Plus, and NGINX Ingress Controller to fix a vulnerability in DNS resolution (CVE-2021-23017). We consider the vulnerability to be low-severity, but encourage users to upgrade to the latest versions.
Tag: CVEs
Tag: CVEs
Mitigating Security Vulnerabilities Quickly and Easily with NGINX Plus
An often-overlooked benefit of NGINX Plus is how it makes protecting yourself against security threats quick and easy. We proactively inform NGINX Plus subscribers of security vulnerabilities and patches, provide help during attacks, support JWT and OIDC authentication, and more.
Addressing a DoS Vulnerability (CVE-2020-15598) in ModSecurity
On 14 September 2020 we released an update to the NGINX Plus ModSecurity module (for NGINX Plus R20, R21, and R22) in response to CVE-2020-15598. We encourage NGINX Plus subscribers to upgrade to the patched module.
Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX
We provide guidance on using NGINX to mitigate the recently discovered vulnerability in PHP-FPM (CVE-2019-11043). The vulnerability is triggered when the PATH_INFO variable passed to PHP-FPM with an invalid value, which can happen in a common NGINX configuration.
NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities
We have released updates to NGINX Open Source and NGINX Plus to fix vulnerabilities in the HTTP/2 protocol that were announced today (CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516). Upgrade as soon as possible to NGINX 1.17.3, NGINX 1.16.1, or NGINX Plus R18 P1.
NGINX Response to the Meltdown and Spectre Vulnerabilities
The Meltdown and Spectre vulnerabilities stem from commonly found security flaws in microprocessors. They require patches to most OSs.
The Imperva HTTP/2 Vulnerability Report and NGINX
Security firm Imperva found four potential security vulnerabilities in HTTP/2, and one affects older versions of NGINX. Here are mitigation suggestions.