Описание
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
A flaw was found in nginx. When name-based virtual hosts are configured to share the same IP address and port combination with TLS 1.3 and OpenSSL, a previously authenticated attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS session tickets are used, the SSL session cache is used in the default virtual server, and the default virtual server performs client certificate authentication.
Отчет
In regulated environments, layered security controls significantly reduce the risk of exploiting this CWE-287: Improper Authentication vulnerability, justifying a severity downgrade from Moderate to Low. Access to the platform is granted only after successful authentication through multifactor authentication (MFA). Domain accounts are configured to lock out based on predefined access policies, reducing the effectiveness of brute-force attacks on authentication mechanisms. The platform employs IAM roles for identification and authentication within its cloud infrastructure that govern user access to resources and manage provisioning, deployment, and configuration within the platform environment. This reduces the risk of unauthorized access through third-party or external user accounts. Finally, memory protection mechanisms are used to enhance resilience against unauthorized commands or improper authentication. This vulnerability affects NGINX versions 1.11.4 to 1.27.3 and is fixed in 1.27.4 (mainline) and 1.26.3 (stable). RHEL 9 includes a backported fix in the NGINX 1.20 package. In RHEL 8 and 9 modular streams (1.22/1.24), the issue is marked "Fix deferred" — see the FAQ for details. RHEL 10 and later, with NGINX 1.26+, are not affected.
Меры по смягчению последствий
Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 1.2 | nginx | Fix deferred | ||
| Red Hat Enterprise Linux 10 | nginx | Not affected | ||
| Red Hat Enterprise Linux 8 | nginx:1.22/nginx | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nginx:1.24/nginx | Fix deferred | ||
| Red Hat Enterprise Linux 9 | nginx:1.22/nginx | Fix deferred | ||
| Red Hat Enterprise Linux 9 | nginx:1.24/nginx | Fix deferred | ||
| Red Hat Enterprise Linux 9 | nginx:1.26/nginx | Not affected | ||
| Red Hat Insights proxy 1 | insights-proxy/insights-proxy-container-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux 9 | nginx | Fixed | RHSA-2025:7331 | 13.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
When multiple server blocks are configured to share the same IP addres ...
EPSS
4.3 Medium
CVSS3