NGINX Releases Security Updates: HTTP/3 Vulnerabilities Patched

In a recent security advisory, the NGINX development team has released crucial updates for their popular web server software, urging users to upgrade immediately. These updates address four significant vulnerabilities related to the HTTP/3 implementation, specifically impacting configurations using the “ngx_http_v3_module”.

• CVE-2024-32760: A buffer overwrite vulnerability that occurs when NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module. This flaw allows undisclosed HTTP/3 encoder instructions to terminate NGINX worker processes or cause other potential impacts.
• CVE-2024-31079: A stack overflow and use-after-free vulnerability. Exploitation requires specifically timed HTTP/3 requests during the connection draining process, which attackers cannot easily influence. This vulnerability can lead to the termination of NGINX worker processes.
• CVE-2024-35200: A NULL pointer dereference vulnerability triggered by undisclosed HTTP/3 requests, causing NGINX worker processes to terminate.
• CVE-2024-34161: A memory leakage issue arising when NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module on networks with a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation. Undisclosed QUIC packets can lead to leakage of previously freed memory.

NGINX Plus users have also received an update in the form of Release 32 (R32), which is based on nginx 1.25.5 and includes the necessary security patches along with other bug fixes.

While these vulnerabilities are rated as “Medium” severity, they pose a significant risk to websites and applications relying on NGINX’s HTTP/3 capabilities. Administrators and users are strongly advised to update their NGINX installations to the latest versions (nginx 1.27.0, 1.26.1) without delay to ensure the continued security and stability of their web services.