K12331123 : NGINX Plus and Open Source vulnerability CVE-2021-23017

Security Advisory Description

An issue in NGINX resolver may allow an attacker who is able to forge UDP packets from the specified DNS server to cause a 1-byte memory overwrite, resulting in a worker process crash or other unspecified impact. (CVE-2021-23017)

Impact

A remote attacker can cause a worker process to stop responding, denying access to some users. This vulnerability is present only if one or more resolver directives have been configured. By default, no resolvers are configured.

NGINX Plus and Open Source

For more information about the resolver directive, refer to the following NGINX modules directive reference pages:

• ngx_http_core_module
• ngx_http_upstream_module
• ngx_mail_core_module
• ngx_stream_core_module
• ngx_stream_upstream_module

NGINX Ingress Controller

Most commonly, the resolver is used with NGINX Plus to support ExternalName services as load balancing destinations, however other use cases are possible. For more information about use withExternalName services, refer to the kubernetes-ingress page in GitHub.