This issue was discovered during research on the software Debian 9. This operating system was tested with Nginx 1.10.5 and 1.11.5. The security update for Debian 9 was provided by Debian. In case you are running a different Debian-based distribution, contact your system administrator.
In addition to Debian 9, the Nginx packages for Red Hat Enterprise Linux and CentOS 7 were updated. Besides, the Nginx packages for Fedora and are maintained now. The security update for other Linux distributions was provided by the upstream vendor. The Nginx packages for Microsoft Windows and Mac OS X were updated as well.
Nginx Package Description
Nginx is an open-source web server that has the ability to filter and block various types of attacks. It provides a high performance, low latency, and high concurrency web server that can be used as reverse proxy or load balancer.
According to nginx.com, “Nginx is an open source software developed by Igor Sysoev , with the help of the community and financial support from nginx Inc. Nginx Inc. is a company incorporated in Delaware, USA and specializes in providing managed services for the nginx open source project.”
Debian 9: New Nginx Packages and Security Update
Debian 9 is an update to the Debian operating system that includes new packages. Debian 9 includes Nginx 1.11.5, which provides a security update for the product. Additionally, Debian 9 also released updated packages for Red Hat Enterprise Linux and CentOS 7. As for other distributions, Debian 9 provided updates for Windows and Mac OS X as well.
The Nginx packages from debian-security-announce have been updated with CVE-2022-3638
Nginx vulnerablity summary
A buffer overflow vulnerability was discovered in the nginx HTTP server before 1.10.5 and 1.11.5 that allows for remote attackers to execute arbitrary commands via a long Unicode string to the "upstream" parameter of the "limit_req_zone" directive. The following command will be executed, as shown below:
# curl -I https://CVE-2022-3638/index.php
The exploit code below takes advantage of this vulnerability to run a command on the host under attack:
# bash -c curl -I https://CVE-2022-3638/index.php
How to update the Nginx packages on Debian/Ubuntu/CentOS?
One of the most important security updates for Nginx is addressed to a denial-of-service (DoS) vulnerability. The DoS vulnerability allows remote attackers to cause a crash or a system hang on target systems.
The update for Debian 9 was provided by Debian and can be applied manually with the following steps:
# apt update && apt upgrade
# apt install -y nginx
# service nginx stop && rm -rf /var/lib/nginx*
# service nginx start
Nginx version information
Nginx 1.10.5, 1.11.5: CVE-2018-12896, CVE-2019-12045
Debian 9: N/A
Red Hat Enterprise Linux 7, CentOS 7: N/A
Fedora 29, Fedora 28, Fedora 27, Fedora 26, Fedora 25: N/A
Microsoft Windows 10+, Windows Server 2019+: N/A
Mac OS X 10.13+, macOS 10.14+, iOS 11+: N/A