告诉HN:一个新的Nginx零日漏洞刚刚被发现。
我们(Nebula Security)刚刚发布了一个nginx远程代码执行的零日漏洞。该漏洞影响了数十家财富500强公司,我们已立即向nginx团队披露了这一信息。自2014年以来,这是第三个被评为“重大”的nginx漏洞。(<a href="https://x.com/nebusecurity/status/2067623683427045541" rel="nofollow">https://x.com/nebusecurity/status/2067623683427045541</a>)
要检查您的服务器是否受到影响:
```
1. 您正在运行NGINX开源版本v1.31.0或v1.31.1
2. 您的NGINX配置启用了HTTP/3 / QUIC
```
立即采取行动:
```
1. 将NGINX升级到v1.31.2或更高版本
2. 如果您无法立即升级,请禁用QUIC / HTTP/3,直到您可以修补
```
顺便提一下:这是我们在一个月内发现的第二个nginx远程代码执行零日漏洞,使用的是我们的安全代理VEGA。(请查看我们的第一个nginx RCE:<a href="https://x.com/nebusecurity/status/2057071579876753643" rel="nofollow">https://x.com/nebusecurity/status/2057071579876753643</a>)。我们将进行HN发布,但希望尽早传播关于这个RCE的信息。
同时,如果您有兴趣在您的代码库上尝试VEGA,请联系 etenz@nebusec.ai。
查看原文
We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. (<a href="https://x.com/nebusecurity/status/2067623683427045541" rel="nofollow">https://x.com/nebusecurity/status/2067623683427045541</a>)<p>To check if your server is impacted:<p><pre><code> 1. You are running NGINX Open Source v1.31.0 or v1.31.1
2. Your NGINX configuration enables HTTP/3 / QUIC
</code></pre>
Immediate action:<p><pre><code> 1. Upgrade NGINX to v1.31.2 or later
2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch
</code></pre>
Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at <a href="https://x.com/nebusecurity/status/2057071579876753643" rel="nofollow">https://x.com/nebusecurity/status/2057071579876753643</a>). We'll be doing an HN launch, but wanted to get the word out about this RCE sooner.<p>In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai.