We have released updates to NGINX Plus, NGINX Open Source, NGINX Open Source Subscription, and NGINX Ingress Controller to fix vulnerabilities in the modules for MP4 and HLS video streaming (CVE-2022-41741 through CVE-2022-41743).
Addressing Security Weaknesses in the NGINX LDAP Reference Implementation
We describe security vulnerabilities recently discovered in the NGINX LDAP reference implementation, and how to mitigate them. NGINX Open Source and NGINX Plus are not affected, and no corrective action is required if you do not use the reference implementation.
Mitigating the log4j Vulnerability (CVE-2021-44228) with NGINX
NGINX can help you protect your apps against the Log4Shell vulnerability in Apache log4j (CVE-2021-44228), with NGINX App Protect, NGINX ModSecurity WAF, or a script using the NGINX JavaScript Module.
Updating NGINX for a DNS Resolver Vulnerability (CVE-2021-23017)
We have released updates to NGINX Open Source, NGINX Plus, and NGINX Ingress Controller to fix a vulnerability in DNS resolution (CVE-2021-23017). We consider the vulnerability to be low-severity, but encourage users to upgrade to the latest versions.
Addressing a DoS Vulnerability (CVE-2020-15598) in ModSecurity
On 14 September 2020 we released an update to the NGINX Plus ModSecurity module (for NGINX Plus R20, R21, and R22) in response to CVE-2020-15598. We encourage NGINX Plus subscribers to upgrade to the patched module.
Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX
We provide guidance on using NGINX to mitigate the recently discovered vulnerability in PHP-FPM (CVE-2019-11043). The vulnerability is triggered when the PATH_INFO variable passed to PHP-FPM with an invalid value, which can happen in a common NGINX configuration.
NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities
We have released updates to NGINX Open Source and NGINX Plus to fix vulnerabilities in the HTTP/2 protocol that were announced today (CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516). Upgrade as soon as possible to NGINX 1.17.3, NGINX 1.16.1, or NGINX Plus R18 P1.
Is Your API Management Solution Really Secure?
Is your API management solution secure when vulnerabilities are found? The NGINX team builds patches into the NGINX Controller API Management Module as soon as they're available. Third-party solutions built on NGINX can leave you vulnerable while vendors test and port patches.
Using ModSecurity to Virtually Patch Apache Struts CVE-2017-5638
When a CVE appears, updating affected libraries and re-testing can be too slow. See how to quickly apply a "virtual patch" with ModSecurity.
NGINX Response to the Meltdown and Spectre Vulnerabilities
The Meltdown and Spectre vulnerabilities stem from commonly found security flaws in microprocessors. They require patches to most OSs.
- 1
- 2
