New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A new vulnerability in NGINX JavaScript (njs), tracked as CVE\u20112026\u20118711, allows unauthenticated remote attackers to trigger a heap\u2011based buffer overflow that can lead to denial\u2011of\u2011service and, in some conditions, remote code execution in the NGINX <\/a>worker process.<\/p>\n The flaw is tied to how the js_fetch_proxy directive handles client\u2011controlled variables when combined with the ngx.fetch() operation from NGINX JavaScript.<\/p>\n The issue arises in the ngx_http_js_module module when js_fetch_proxy is configured with at least one client\u2011controlled NGINX variable such as\u00a0,\u00a0, or\u00a0.<\/p>\n If a location then invokes an NJS function that calls ngx.fetch(), an attacker can send crafted HTTP requests that result in a heap buffer overflow<\/a> in the NGINX worker process.<\/p>\n The vulnerability is classified as CWE\u2011122: Heap\u2011based Buffer Overflow and is tracked internally by F5 as ID 160 for NGINX Plus and NGINX OSS.<\/p>\n This defect primarily causes worker process crashes and automatic restarts, effectively producing a denial\u2011of\u2011service (DoS) condition on the NGINX data plane.<\/p>\n On systems where Address Space Layout Randomization (ASLR)<\/a> is disabled or poorly configured, the overflow may be exploitable to execute arbitrary code in the worker context.<\/p>\n The vulnerability affects NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, with the fix introduced in njs 0.9.9.<\/p>\n The impacted component is the ngx_http_js_module module, which exposes NJS-based HTTP processing directives such as js_content and js_fetch_proxy.<\/p>\n A typical vulnerable pattern is a configuration in which js_fetch_proxy constructs a proxy URL using client\u2011supplied headers, for example, $http_x_user\u00a0and\u00a0$http_x_password, and js_content points to an NJS function (for example, main.fetcher) that calls ngx.fetch() with that URL.<\/p>\n In this setup, an attacker can manipulate those header values to corrupt heap memory in the NGINX worker and repeatedly crash it.<\/p>\n F5 stated in article K000161307<\/a> that the issue is limited to the data plane and does not affect the control plane.<\/p>\n Other F5 products and services, such as BIG\u2011IP, BIG\u2011IQ, BIG\u2011IP Next, F5OS, and F5 Distributed Cloud services, are reported as not vulnerable to CVE\u20112026\u20118711 in their evaluated versions.<\/p>\n Administrators running affected njs versions are strongly advised to upgrade to NGINX JavaScript 0.9.9 or later as the primary remediation.<\/p>\n Environments where the \u201cVersions known to be vulnerable\u201d column applies should move to a release listed in the \u201cFixes introduced in\u201d column or later. <\/p>\n Where an immediate upgrade is not possible, operators should review configurations for js_fetch_proxy usage with client\u2011controlled variables and refactor or remove these patterns, and ensure that ASLR is enabled on all NGINX hosts to hinder code\u2011execution attempts.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nNGINX Buffer Overflow<\/strong> Vulnerability<\/strong>
\n<\/h2>\n