NGINX Plus and NGINX Open Source HTTP/3 QUIC Module Source IP Spoofing Vulnerability

A vulnerability exists in NGINX Plus versions 37.x and R3x (R32 - R36), as well as NGINX Open Source versions 1.25.0 through 1.30.0, when the HTTP/3 QUIC module is enabled. This vulnerability allows an attacker to spoof their source IP address, potentially bypassing authorization measures or rate limiting. Additionally, this spoofing could be exploited to cause a denial-of-service condition on the NGINX system.

Impact

Exploitation of this vulnerability could lead to unauthorized access or actions by allowing an attacker to bypass IP-based authorization controls or rate limits. Furthermore, according to F5, this vulnerability could be used to create a denial-of-service condition on the NGINX system.

Remediation

Users can upgrade to NGINX Plus version 37.0.0 or NGINX Open Source version 1.31.0 or 1.30.1 to address this vulnerability. For NGINX Plus users, version 36 P4 is also available. If using NGINX Instance Manager, version 2.21.1 should be installed. F5 WAF for NGINX users should upgrade to version 5.12.1, while NGINX App Protect WAF users should move to version 5.8.0. For those using NGINX Gateway Fabric, version 2.6.0 is recommended. NGINX Ingress Controller users should upgrade to version 5.4.2, 4.0.1, or 3.7.2, depending on their current version.