NGINX Plus and NGINX Open Source ngx_http_ssl_module Heap Use-After-Free Vulnerability

A heap-use-after-free vulnerability has been identified in the ngx_http_ssl_module of NGINX Plus and NGINX Open Source. This issue arises when the ssl_verify_client directive is set to 'on' or 'optional', and the ssl_ocsp directive is enabled or the leaf parameters are configured with a resolver. Under these conditions, an unauthenticated attacker can send requests that trigger the vulnerability, potentially leading to a heap-use-after-free error in the NGINX worker process. The consequence of this vulnerability may include limited data modification or a restart of the NGINX worker process.

Impact

Exploitation of this vulnerability may allow for a limited modification of data or cause the NGINX worker process to restart.

Remediation

To address this vulnerability, users can update to NGINX versions 1.31.0 or 1.30.1 for NGINX Open Source, or versions R36 P4 or R32 P6 for NGINX Plus. For NGINX Instance Manager, versions 2.21.1 and 2.16.0 should be avoided. If using NGINX App Protect WAF, versions 5.9.0 to 5.12.1 and 4.9.0 to 4.16.0 are vulnerable. In NGINX Gateway Fabric, versions 2.0.0 to 2.5.1 and 1.3.0 to 1.6.2 should be updated. For NGINX Ingress Controller, versions 5.0.0 to 5.4.1, 4.0.0 to 4.0.1, and 3.5.0 to 3.7.2 are affected. Users can also mitigate the vulnerability by specifying an OCSP responder using the ssl_ocsp_responder directive, or by switching from OCSP to CRL files using the ssl_crl directive.