NGINX team has released patches for their popular web server software. These updates address four significant vulnerabilities related to the HTTP/3 implementation, specifically impacting configurations using the “ngx_http_v3_module”.
- CVE-2024-31079: A stack overflow and use-after-free vulnerability. Exploitation requires specifically timed HTTP/3 requests during the connection draining process, which attackers cannot easily influence. This vulnerability can lead to the termination of NGINX worker processes.
- CVE-2024-32760: A buffer overwrite vulnerability that occurs when NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module. This flaw allows undisclosed HTTP/3 encoder instructions to terminate NGINX worker processes or cause other potential impacts.
- CVE-2024-34161: A memory leakage issue arising when NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module on networks with a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation. Undisclosed QUIC packets can lead to leakage of previously freed memory.
- CVE-2024-35200: A NULL pointer dereference vulnerability triggered by undisclosed HTTP/3 requests, causing NGINX worker processes to terminate.
Advertisements
NGINX Plus users have also received an update in the form of Release 32 (R32), which is based on nginx 1.25.5. Administrators and users are recommended to update their NGINX installations to the latest versions (nginx 1.27.0, 1.26.1) to ensure the continued security and stability of their web services.
