Beware of Undisclosed Requests Causing NGINX Worker Processes to Terminate

CVECVE-2024-24990
CVSScvssV3_1: 7.5
SourceCVE-2024-24990

NGINX is a popular open source web server that can be used to serve static files, proxy connections to applications servers and load balance traffic. It supports features like HTTP load balancing, media streaming, and caching.

A vulnerability has been discovered in NGINX that allows undisclosed requests to cause worker processes to terminate when the HTTP/3 QUIC module is enabled. HTTP/3 QUIC is a new protocol that combines HTTP semantics with the QUIC transport protocol for improved performance. However, it is still considered experimental in NGINX.

By sending specially crafted requests, attackers can potentially exploit this issue to crash NGINX worker processes and disrupt the services it is load balancing or proxying. This could lead to denial of service.

If you are using NGINX with the HTTP/3 QUIC module, it is recommended to upgrade to the latest version to apply any fixes. The module is also not enabled by default for security reasons. You should carefully evaluate if you need to use experimental features and monitor your logs for any suspicious requests.

Proper authentication on upstream applications and firewall rules to restrict traffic to only trusted IPs/subnets can help prevent exploitation of such vulnerabilities. Regular patching of software components is also advisable to get the latest security updates.

References