Nginx漏洞
大约 4 分钟
Nginx漏洞
https://nginx.org/en/security_advisories.html
常见的几个漏洞
| 漏洞详情 | 解决方案 |
|---|---|
| SSL/TLS协议信息泄露漏洞(CVE-2016-2183)+DD3:E16 | 建议:避免使用IDEA、DES和3DES算法 1、OpenSSL Security Advisory [22 Sep 2016] 链接:https://www.openssl.org/news/secadv/20160922.txt 请在下列网页下载最新版本: https://www.openssl.org/source/ 2、对于nginx、apache、lighttpd等服务器禁止使用DES加密算法 主要是修改conf文件 3、Windows系统可以参考如下链接: https://social.technet.microsoft.com/Forums/en-US/31b3ba6f-d0e6-417a-b6f 1-d0103f054f8d/ssl-medium-strength-cipher-suites-supported-sweet32cve20 162183?forum=ws2016 |
| nginx 缓冲区错误漏洞(CVE-2022-41741) | 缓解措施:只允许受信用户发布音频和视频文件,或者在 NGINX 配置中禁用 MP4 模块,直到升级至修复版本。 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://nginx.org/download/patch.2022.mp4.txt |
| nginx 越界写入漏洞(CVE-2022-41742) | 缓解措施:只允许受信用户发布音频和视频文件。或者在 NGINX 配置中禁用 HLS 模块,直到升级至修复版本,可缓解此风险。 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://nginx.org/download/patch.2022.mp4.txt |
| Nginx 信任管理问题漏洞(CVE-2021-3618) | 厂商升级: Nginx ----- 目前厂商已经发布了新版本以修复这个安全问题,请到厂商的主页下载: 下载链接:http://nginx.org/en/download.html |
| Nginx range filter 整型溢出漏洞(CVE-2017-7529) | 厂商升级: Nginx ----- 目前厂商已经发布了新版本以修复这个安全问题,请到厂商的主页下载: 修复版本:1.12.1,1.13.3 下载链接:http://nginx.org/en/download.html 无法升级的旧版本可以在不影响业务的前提下,禁用multipart range功能,在Nginx 配置文件中添加max_ranges 1; |
| nginx 安全漏洞(CVE-2018-16843) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html |
| nginx 安全漏洞(CVE-2018-16844) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html?_ga= 2.143807029.1839563140.1541529087-1530719350.1541529087 |
| nginx 安全漏洞(CVE-2021-23017) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://www.nginx.com/blog/updating-nginx-dns-resolver-vulnerability-cve-2 021-23017/ |
| HTTP/2 安全漏洞(CVE-2019-9511) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://nginx.org/en/security_advisories.html |
| HTTP/2 安全漏洞(CVE-2019-9513 | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://nginx.org/en/security_advisories.html |
| NGINX 安全漏洞(CVE-2017-20005) | 厂商补丁: 建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法: https://nginx.org/en/download.html |
| nginx 安全漏洞(CVE-2018-16845) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html |
| NGINX 环境问题漏洞(CVE-2019-20372 | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: http://nginx.org/en/CHANGES |
| HTTP/2 安全漏洞(CVE-2019-9516) | 厂商补丁: 目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://nginx.org/en/security_advisories.html |
案例:解决 nginx 缓冲区错误漏洞(CVE-2022-41741)
https://nginx.org/en/security_advisories.html
ngx_http_mp4_module 中的内存损坏 严重性:中 咨询 ===> 介绍可以升级版本到1.23.2+ 或者支持打补丁 : http://nginx.org/download/patch.2022.mp4.txtCVE-2022-41741 不易受攻击:1.23.2+、1.22.1+ 易受攻击:1.1.3-1.23.1、1.0.7-1.0.15 补丁 pgp
这里介绍通过打补丁的方式解决:
1.切换到nginx源码根目录下
2.下载补丁 wget http://nginx.org/download/patch.2022.mp4.txt
3.patch -p1 < patch.2022.mp4.txt
4.命令行显示 File to patch: 输入 src/http/modules/ngx_http_mp4_module.c
5.执行make && make install命令重新编译并安装nginx。
[root@localhost nginx-1.13.7]# patch -p1 < patch.2022.mp4.txt ####
can't find file to patch at input line 4
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git src/http/modules/ngx_http_mp4_module.c src/http/modules/ngx_http_mp4_module.c
|--- src/http/modules/ngx_http_mp4_module.c
|+++ src/http/modules/ngx_http_mp4_module.c
--------------------------
File to patch: src/http/modules/ngx_http_mp4_module.c #### 输入 src/http/modules/ngx_http_mp4_module.c 这个是由 patch.2022.mp4.txt 文件中拿到的
patching file src/http/modules/ngx_http_mp4_module.c
Hunk #1 succeeded at 1062 (offset -59 lines).
Hunk #2 succeeded at 1126 (offset -59 lines).
Hunk #3 succeeded at 1199 (offset -59 lines).
Hunk #4 succeeded at 1331 (offset -59 lines).
Hunk #5 succeeded at 1602 with fuzz 2 (offset -59 lines).
Hunk #6 succeeded at 1647 (offset -60 lines).
Hunk #7 succeeded at 1776 with fuzz 1 (offset -60 lines).
Hunk #8 succeeded at 1825 (offset -81 lines).
Hunk #9 succeeded at 1859 (offset -81 lines).
Hunk #10 succeeded at 1908 (offset -81 lines).
Hunk #11 succeeded at 1948 (offset -81 lines).
Hunk #12 succeeded at 1988 (offset -81 lines).
Hunk #13 succeeded at 2022 (offset -81 lines).
Hunk #14 succeeded at 2096 (offset -134 lines).
Hunk #15 succeeded at 2170 (offset -134 lines).
Hunk #16 succeeded at 2382 (offset -197 lines).
Hunk #17 succeeded at 2587 (offset -197 lines).
Hunk #18 succeeded at 2797 (offset -197 lines).
Hunk #19 succeeded at 3136 (offset -197 lines).
Hunk #20 succeeded at 3312 (offset -211 lines).
Hunk #21 succeeded at 3506 (offset -233 lines).