HTTP/2 Vulnerabilities in Nginx

0
367

In August 2019, NGINX Updates Mitigate in many implementations of HTTP/2. NGINX and Cloudflare are aware in this Mandatory case, Fortunately, For who is using Cloudflare as a proxy. you are safe since they are already implemented this mitigation and you have to no worries, “Customers using Cloudflare are already protected against these attacks” Reference: https://blog.cloudflare.com/on-the-recent-http-2-dos-attacks/

The following are NGINX statement :

Today we are releasing updates to NGINX Open Source and NGINX Plus in response to the recent discovery of vulnerabilities in many implementations of HTTP/2. We strongly recommend upgrading all systems that have HTTP/2 enabled.

In May 2019, researchers at Netflix discovered a number of security vulnerabilities in several HTTP/2 server implementations. These were responsibly reported to each of the vendors and maintainers concerned. NGINX was vulnerable to three attack vectors, as detailed in the following CVEs:

We have addressed these vulnerabilities, and added other HTTP/2 security safeguards, in the following NGINX versions:

  • NGINX 1.16.1 (stable)
  • NGINX 1.17.3 (mainline)
  • NGINX Plus R18 P1

Reference:
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/http://nginx.org/en/security_advisories.html

LEAVE A REPLY

Please enter your comment!
Please enter your name here