NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

CVE-2024-24989, CVE-2024-24990

NGINX, the workhorse web server behind countless high-traffic websites, has released an urgent patch (version 1.25.4) to address two critical vulnerabilities (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation. While this newer, faster protocol enhances web performance, its cutting-edge nature also introduces potential security risks.

CVE-2024-24989, CVE-2024-24990

What’s the Impact?

If unpatched, these flaws open the door for threat actors to:

  • Crash Servers: Maliciously designed QUIC sessions sent to vulnerable NGINX servers can trigger worker process crashes, leading to widespread denial-of-service (DoS).
  • Further Exploitation: While the exact scope is still under investigation, CVE-2024-24990 hints at the potential for deeper compromise beyond simple crashes.

Both CVE-2024-24989 and CVE-2024-24990 have a CVSS score of 7.5. “This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) on the NGINX system,” F5 warns.

Who’s at Risk?

You are affected by these vulnerabilities if your NGINX configuration meets the following criteria:

  1. NGINX version between 1.25.0 and 1.25.3.
  2. You’ve explicitly compiled NGINX with the ngx_http_v3_module (this is NOT the default).
  3. The “quic” option is enabled in your “listen” directive within the configuration file.

Immediate Action

  • Upgrade ASAP: If your systems are vulnerable, don’t delay. Upgrade to NGINX version 1.25.4 to apply the essential patches.
  • No Workaround: Unfortunately, there are no simple workarounds or temporary fixes. Disabling HTTP/3 is the only reliable way to mitigate these specific flaws.

Looking Ahead

F5, the company behind NGINX, advises extreme caution around using HTTP/3 in production environments for the time being. While the protocol promises greater speeds and resilience, security wrinkles might linger in its early adoption phases. This incident underscores the importance of rigorous testing and threat modeling, especially when adopting bleeding-edge web technologies.

For deeper technical inquiries into HTTP/3 security or detailed configuration instructions, follow the relevant links from the official NGINX security advisory.