NGINX and NGINX Plus Man-in-the-Middle Vulnerability Allowing Response Injection

A vulnerability exists in NGINX OSS and NGINX Plus when proxying to upstream TLS servers. An attacker in a man-in-the-middle position on the upstream server side, under certain uncontrollable conditions, may inject plain text data into the response from the upstream server. This issue affects NGINX Open Source versions 1.3.0 to 1.29.4, NGINX Plus versions R32 to R36 P1, and NGINX Ingress Controller versions 5.3.0 to 5.3.2, 4.0.0 to 4.0.1, and 3.4.0 to 3.7.1. Additionally, NGINX Gateway Fabric versions 2.0.0 to 2.4.0 and 1.2.0 to 1.6.2 are vulnerable. NGINX Instance Manager versions 2.15.1 to 2.21.0 are also affected.

Impact

Exploitation may allow an unauthenticated attacker with a man-in-the-middle position on the upstream server side to inject responses that could be sent to clients.

Remediation

Users can upgrade to NGINX Open Source version 1.29.5 or 1.28.2, NGINX Plus version R36 P2, R35 P1, or R32 P4. For NGINX Ingress Controller, upgrade to version 5.3.3 or 4.0.2. NGINX Gateway Fabric users should upgrade to version 2.4.1 or 1.6.3.