NGINX Open Source ngx_http_mp4_module Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the 32-bit version of NGINX Open Source, specifically within the ngx_http_mp4_module. This issue arises when the MP4 directive is used in the configuration file, allowing an attacker to over-read or over-write NGINX worker memory with a specially crafted MP4 file. The vulnerability leads to the termination of the NGINX worker process, causing a disruption as the process restarts.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by disrupting traffic and forcing the NGINX worker process to restart.

Remediation

To address this vulnerability, users can update to NGINX versions 1.29.7 or 1.28.3. If an immediate update is not possible, the MP4 module can be disabled in the NGINX configuration by commenting out the mp4 directives. After making this change, the NGINX configuration should be tested and reloaded.