Tell HN: A new Nginx 0-day just dropped

Y	Hacker News new \| ask \| show \| jobs

11 points by etenal 3 days ago

We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. (https://x.com/nebusecurity/status/2067623683427045541)

To check if your server is impacted:

  1. You are running NGINX Open Source v1.31.0 or v1.31.1

  2. Your NGINX configuration enables HTTP/3 / QUIC

Immediate action:

  1. Upgrade NGINX to v1.31.2 or later
  
  2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch

Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at https://x.com/nebusecurity/status/2057071579876753643). We'll be doing an HN launch, but wanted to get the word out about this RCE sooner.

In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai.

2 comments

hobonation 2 days ago

>> If you use Nginx 1.31 with QUIC enabled, we recommend upgrading to the latest version.

QUIC isn't enabled by default.

link

rvz 2 days ago

Going to assume that this RCE is being actively exploited right now.

A "major" rating seems appropriate for this. If this didn't require QUIC and it was the default config then that would be far worse situation.

Still a serious 0day.

link