HN 读者请注意:一个 Nginx 的零日漏洞刚刚被披露
5 分•作者: etenal•2 天前
我们(Nebula Security)刚刚披露了一个 Nginx 远程代码执行 0-day 漏洞。该漏洞影响了数十家财富 500 强公司,我们已立即通知 Nginx 团队。这是自 2014 年以来第三个被评为“重大”的 Nginx 漏洞。([https://x.com/nebusecurity/status/2067623683427045541](https://x.com/nebusecurity/status/2067623683427045541))
要检查您的服务器是否受到影响:
1. 您正在运行 NGINX Open Source v1.31.0 或 v1.31.1
2. 您的 NGINX 配置启用了 HTTP/3 / QUIC
立即采取行动:
1. 将 NGINX 升级到 v1.31.2 或更高版本
2. 如果您无法立即升级,请在修补之前禁用 QUIC / HTTP/3
(不请自来地宣传一下:这是我们在一个月内发现的第二个 Nginx RCE 0-day 漏洞,利用了我们的安全代理 VEGA。(请参阅我们发现的第一个 Nginx RCE:[https://x.com/nebusecurity/status/2057071579876753643](https://x.com/nebusecurity/status/2057071579876753643))。我们将在 HN 上发布详细信息,但想尽快将此 RCE 的消息传达出去。)
同时,如果您有兴趣在您的代码库上试用 VEGA,请联系 etenz@nebusec.ai。
查看原文
We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. (<a href="https://x.com/nebusecurity/status/2067623683427045541" rel="nofollow">https://x.com/nebusecurity/status/2067623683427045541</a>)<p>To check if your server is impacted:<p><pre><code> 1. You are running NGINX Open Source v1.31.0 or v1.31.1
2. Your NGINX configuration enables HTTP/3 / QUIC
</code></pre>
Immediate action:<p><pre><code> 1. Upgrade NGINX to v1.31.2 or later
2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch
</code></pre>
Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at <a href="https://x.com/nebusecurity/status/2057071579876753643" rel="nofollow">https://x.com/nebusecurity/status/2057071579876753643</a>). We'll be doing an HN launch, but wanted to get the word out about this RCE sooner.<p>In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai.