On May 25, 2021, NGINX announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your NGINX systems. The details of each issue can be found in the associated Security Advisory.
High CVEs
CVSS score: 7.4 (High)
Intra-cluster communication does not use TLS. The services within the NGINX Controller namespace are using cleartext protocols inside the cluster.
CVSS score: 7.8 (High)
The NGINX Controller Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.
Medium CVEs
CVSS score: 5.7 (Medium)
The NAAS API keys are generated using an insecure pseudo-random string and hashing algorithm, which may lead to predictable keys.
Low CVEs
CVSS score: 3.3 (Low)
The agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.
CVSS score: 3.7 (Low)
A security issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause 1-byte memory overwrite, resulting in a worker process crash or other unspecified impact.
CPE | Name | Operator | Version |
---|---|---|---|
nginx plus | eq | R13 | |
nginx plus | eq | R14 | |
nginx plus | eq | R15 | |
nginx plus | eq | R16 | |
nginx plus | eq | R17 | |
nginx plus | eq | R18 | |
nginx plus | eq | R19 | |
nginx plus | eq | R20 | |
nginx plus | eq | R21 | |
nginx plus | eq | R22 |