Tag: security advisory

The Imperva HTTP/2 Vulnerability Report and NGINX

On August 3, Imperva – an Internet security company – announced four potential security vulnerabilities in the HTTP/2 protocol, and issued a detailed report evaluating a number of web servers against these vulnerabilities. As shown in the table (from page 19 of the Imperva report), NGINX 1.9.9 performed comparatively well in Imperva’s tests, and was not affected by three of…

Continue reading ›

Using NGINX and NGINX Plus to Protect Against CVE-2015-1635

On April 14, Microsoft issued a vulnerability alert – now tracked as CVE-2015-1635 – about an issue that might permit remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. If patching your production Windows servers immediately is not an option, then NGINX and NGINX Plus can help protect you from attacks.…

Continue reading ›

Protecting NGINX and NGINX Plus from the POODLE Attack Against SSLv3 (CVE-2014-3566)

A recently reported vulnerability in version 3 of the SSL protocol (SSLv3) can be exploited in a man‑in‑the‑middle attack to extract parts of a plain‑text transmission that was encrypted with HTTPS. Google researchers have published a detailed explanation describing how such an attack might be mounted. This is not a vulnerability in any implementation of SSL/TLS, but…

Continue reading ›

NGINX and the CVE-2014-6271 Bash Advisory

On September 24, 2014, a vulnerability was revealed in the Bash shell interpreter. The details are described in CVE-2014-6271. Note that there is a follow-up vulnerability (CVE-2014-7169) that has not been patched as of this writing. This bug does not affect the NGINX or NGINX Plus software directly, but if you are running on an affected host system,…

Continue reading ›


Download a 30 day free trial and see what you've been missing.

We'll take care of your data.


Got a question for the NGINX team?

< back


No More Tags to display