K52559937 : Overview of NGINX vulnerabilities (May 2021)

Security Advisory Description

On May 25, 2021, NGINX announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your NGINX systems. The details of each issue can be found in the associated Security Advisory.

High CVEs

• K97002210: NGINX Controller vulnerability CVE-2021-23018

CVSS score: 7.4 (High)

Intra-cluster communication does not use TLS. The services within the NGINX Controller namespace are using cleartext protocols inside the cluster.

• K04884013: NGINX Controller vulnerability CVE-2021-23019

CVSS score: 7.8 (High)

The NGINX Controller Administrator password may be exposed in the systemd.txt file that is included in the NGINX support package.

Medium CVEs

• K45263486: NGINX Controller vulnerability CVE-2021-23020

CVSS score: 5.7 (Medium)

The NAAS API keys are generated using an insecure pseudo-random string and hashing algorithm, which may lead to predictable keys.

Low CVEs

• K36926027: NGINX Controller vulnerability CVE-2021-23021

CVSS score: 3.3 (Low)

The agent configuration file /etc/controller-agent/agent.conf is world readable with current permission bits set to 644.

• K12331123: NGINX Plus and Open Source vulnerability CVE-2021-23017

CVSS score: 3.7 (Low)

A security issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause 1-byte memory overwrite, resulting in a worker process crash or other unspecified impact.