Look out for incoming updates and patch, patch, patch!
The array overflow vulnerability (ZDI-CAN-8296) was patched in the 0.3.2 release.
In accordance with ZDI’s responsible disclosure policy, no further details have been released about the integer overflow vulnerability, although Nginx is understood to be working on a fix.
Scarce details have been released – Nginx has yet to publish a security advisory, despite making the issue public on GitHub.
Anyone using Nginx web servers could currently be at risk, and should patch as soon as updates become available.
Esage warns that the integer overflow bug (ZDI-CAN-8495) and the already-patched vulnerability could lead to RCE – a particular concern given that more than 40% of websites globally are estimated to use Nginx.
Nginx itself has publicly played down the risk, claiming on Twitter that “neither bug appears to be generally exploitable”.
There has also been talk on Twitter about the real-world implications of the bug, with even Esage admitting that the hype is “disproportional”.
The Daily Swig has reached out to Nginx for comment and will update the article accordingly.