NGINX.COM
Web Server Load Balancing with NGINX Plus

Today, we are releasing updates to NGINX Plus, NGINX Open Source, NGINX Open Source Subscription, and NGINX Ingress Controller in response to recently discovered vulnerabilities in the NGINX modules for video streaming with the MP4 and Apple HTTP Live Streaming (HLS) formats, ngx_http_mp4_module and ngx_http_hls_module. (NGINX Open Source Subscription is a specially packaged edition of NGINX Open Source available in certain geographies.)

The vulnerabilities have been registered in the Common Vulnerabilities and Exposures (CVE) database and the F5 Security Incident Response Team (F5 SIRT) has assigned scores to them using the Common Vulnerability Scoring System (CVSS v3.1) scale.

The following vulnerabilities in the MP4 module (ngx_http_mp4_module) apply to NGINX Plus, NGINX Open Source, and NGINX Open Source Subscription.

The following vulnerability in the HLS module (ngx_http_hls_module) applies to NGINX Plus only.

Patches for these vulnerabilities are included in the following software versions:

  • NGINX Plus R27 P1
  • NGINX Plus R26 P1
  • NGINX Open Source 1.23.2 (mainline)
  • NGINX Open Source 1.22.1 (stable)
  • NGINX Open Source Subscription R2 P1
  • NGINX Open Source Subscription R1 P1
  • NGINX Ingress Controller 2.4.1
  • NGINX Ingress Controller 1.12.5

All versions of NGINX Plus, NGINX Open Source, NGINX Open Source Subscription, and NGINX Ingress Controller are affected. We strongly recommend that you upgrade your NGINX software to the latest version.

For NGINX Plus upgrade instructions, see Upgrading NGINX Plus in the NGINX Plus Admin Guide. NGINX Plus customers can also contact our support team for assistance at https://my.f5.com/.

Hero image
Managing Kubernetes Traffic with F5 NGINX: A Practical Guide

Learn how to manage Kubernetes traffic with F5 NGINX Ingress Controller and F5 NGINX Service Mesh and solve the complex challenges of running Kubernetes in production.



About The Author

Prabhat Dixit

Principal Product Manager

About F5 NGINX

F5, Inc. is the company behind NGINX, the popular open source project. We offer a suite of technologies for developing and delivering modern applications. Together with F5, our combined solution bridges the gap between NetOps and DevOps, with multi-cloud application services that span from code to customer.

Learn more at nginx.com or join the conversation by following @nginx on Twitter.