Описание
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.
Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
A flaw was found in the nginx HTTP/3 implementation. This issue may allow an attacker to use a specially crafted QUIC session to trigger a use-after-free condition, causing a worker process to crash, leading to a denial of service.
Отчет
The nginx package as shipped in Red Hat Enterprise Linux 8, 9 and RHSCL is not affected by this vulnerability because support for HTTP3 is not enabled and the vulnerable code was introduced in a newer version of nginx.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | nginx | Not affected | ||
| Red Hat Enterprise Linux 8 | nginx:1.22/nginx | Not affected | ||
| Red Hat Enterprise Linux 8 | nginx:1.24/nginx | Not affected | ||
| Red Hat Enterprise Linux 9 | nginx | Not affected | ||
| Red Hat Enterprise Linux 9 | nginx:1.22/nginx | Not affected | ||
| Red Hat Enterprise Linux 9 | nginx:1.24/nginx | Not affected | ||
| Red Hat Software Collections | rh-nginx118-nginx | Not affected | ||
| Red Hat Software Collections | rh-nginx120-nginx | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC mod ...
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Уязвимость модуля ngx_http_v3_module серверов NGINX и NGINX Plus, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3