Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
May 27, 2021 - TuxCare PR Team
Nginx is a critical part of the infrastructure of many organizations. It is used as a web server, a load balancer, a (reverse) proxy server, a port forwarder, and as a video streaming platform, among its many uses. Standalone or as part of a software stack, it supports a non-negligible share of the overall internet infrastructure we rely upon.
So when a new CVE affects nginx, the team at TuxCare pays special attention.
CVE-2021-23017 is an off-by-one flaw found in nginx code that affects all EOL versions we cover with our Extended Lifecycle Support service. Patches are already being rolled out for all systems.
Taking a deeper look at the vulnerability, it affects the part of the code responsible for DNS resolution within nginx. A malicious DNS server can send a specially crafted packet in response to a DNS query from nginx that results in a “.” character being written out-of-bounds in a buffer inside nginx. For a properly motivated attacker, it is trivial for out-of-bounds flaws to be exploited into (remote) code execution scenarios.
Additionally, nginx has no spoofing mitigations when performing DNS queries. A machine could be placed between the secure non-malicious DNS server and inject traffic containing spoofed DNS replies into nginx through a man-in-the-middle attack. This would trigger the vulnerability in this new CVE, so this issue can have a severe impact and reach.
While there are no known malware tools currently available with this exploit code, proof-of-concept code has been developed to demonstrate the exploitation of this vulnerability.
Running unsupported End-of-Life Linux systems has risks. Learn how to minimize them and protect your systems from Linux vulnerabilities here.
This CVE was disclosed on the 26th of May, 2021, and TuxCare started rolling out patches for it on the same day. If you are a TuxCare Extended Lifecycle Support service subscriber, you can rest assured that your systems are not vulnerable to this flaw. If you are interested in subscribing to the service, contact our engineers here for more information.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...