ClickCease Patching of Nginx CVE-2021-23017 for EOL Systems |tuxcare.com

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Patching of nginx CVE-2021-23017 for EOL systems is being deployed

May 27, 2021 - TuxCare PR Team

Nginx is a critical part of the infrastructure of many organizations. It is used as a web server, a load balancer, a (reverse) proxy server, a port forwarder, and as a video streaming platform, among its many uses. Standalone or as part of a software stack, it supports a non-negligible share of the overall internet infrastructure we rely upon.

So when a new CVE affects nginx, the team at TuxCare pays special attention.

CVE-2021-23017 is an off-by-one flaw found in nginx code that affects all EOL versions we cover with our Extended Lifecycle Support service. Patches are already being rolled out for all systems.

Taking a deeper look at the vulnerability, it affects the part of the code responsible for DNS resolution within nginx. A malicious DNS server can send a specially crafted packet in response to a DNS query from nginx that results in a “.” character being written out-of-bounds in a buffer inside nginx. For a properly motivated attacker, it is trivial for out-of-bounds flaws to be exploited into (remote) code execution scenarios.

Additionally, nginx has no spoofing mitigations when performing DNS queries. A machine could be placed between the secure non-malicious DNS server and inject traffic containing spoofed DNS replies into nginx through a man-in-the-middle attack. This would trigger the vulnerability in this new CVE, so this issue can have a severe impact and reach.

While there are no known malware tools currently available with this exploit code, proof-of-concept code has been developed to demonstrate the exploitation of this vulnerability.

Running unsupported End-of-Life Linux systems has risks. Learn how to minimize them and protect your systems from Linux vulnerabilities here.

This CVE was disclosed on the 26th of May, 2021, and TuxCare started rolling out patches for it on the same day. If you are a TuxCare Extended Lifecycle Support service subscriber, you can rest assured that your systems are not vulnerable to this flaw. If you are interested in subscribing to the service, contact our engineers here for more information.

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Strategies for Managing End-of-Life Operating...

End-of-life software is just a fact of our fast-paced technology...

January 30, 2023

Think You Can’t Afford Consistent...

Look, everyone knows that it’s a tough act. Thousands of...

January 17, 2023

Common Government Cybersecurity Standards –...

The public sector, including state and federal agencies, are at...

January 16, 2023

Which Linux Distro is Best...

If your organization deploys IoT solutions, you know that development...

December 1, 2022

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022