Look out for incoming updates and patch, patch, patch!
Two bugs discovered in Nginx web servers could be exploited to achieve remote code execution (RCE), a security researcher has warned.
The vulnerabilities in question – described as an array overflow and an integer overflow – were reported by Alisa Esage via Trend Micro’s Zero Day Initiative (ZDI) disclosure platform.
The array overflow vulnerability (ZDI-CAN-8296) was patched in the 0.3.2 release.
In accordance with ZDI’s responsible disclosure policy, no further details have been released about the integer overflow vulnerability, although Nginx is understood to be working on a fix.
Scarce details have been released – Nginx has yet to publish a security advisory, despite making the issue public on GitHub.
Anyone using Nginx web servers could currently be at risk, and should patch as soon as updates become available.
Esage warns that the integer overflow bug (ZDI-CAN-8495) and the already-patched vulnerability could lead to RCE – a particular concern given that more than 40% of websites globally are estimated to use Nginx.
“Both Array and String methods of njs are potentially reachable with remote user input (http request data, etc.), as it’s mapped to a global JavaScript object available for parsing,” the researcher wrote on Twitter.
Nginx itself has publicly played down the risk, claiming on Twitter that “neither bug appears to be generally exploitable”.
There has also been talk on Twitter about the real-world implications of the bug, with even Esage admitting that the hype is “disproportional”.
The Daily Swig has reached out to Nginx for comment and will update the article accordingly.
