NGINX.COM

This week, some details about security flaws in several microprocessors were publicly shared; a full disclosure is expected to follow. The flaws take several forms, and have been named Meltdown and Spectre.

You can find more information about the scope of both Meltdown and Spectre at https://meltdownattack.com.

A process (application) running on a server can use these flaws to access the protected memory used by other processes. The bugs can be exploited between processes and across containers, and even in some cloud and virtual environments.

As with all other processes, memory used by NGINX and NGINX Plus is vulnerable to snooping from another process running on the same host. For servers you control, NGINX, Inc. strongly recommends that you apply the appropriate OS patches to protect against this. For cloud and other platform providers that you use, we strongly recommend that you verify that your provider has applied these patches.

As far as we are aware, NGINX and NGINX Plus themselves do not provide an attack vector that a remote user can use to exploit these vulnerabilities. Even if such an attack vector were discovered, it may not be possible to prevent it, so applying the recommended OS patches is a priority.

The appropriate advisories are listed at https://meltdownattack.com/#faq-advisory.

We also advise rotating sensitive data – such as authentication credentials and private keys – stored on vulnerable hardware, because both local attacks and remote attacks are generally impossible to detect. This is a higher priority for cloud‑hosted servers, where it may be easier to mount such attacks.

Once the patches are applied, processes that perform large numbers of system calls reportedly will incur a performance penalty due to the impact of the patches. NGINX and NGINX Plus, for example, may therefore require additional CPU resources; monitor the effect of the patch and be prepared to scale up or scale out if necessary.

We are closely following details of these vulnerabilities and will update this notice as more details emerge.

Further Reading

Hero image
免费白皮书:
NGINX 企阅版全解析

助力企业用户规避开源治理风险,应对开源使用挑战

关于作者

Owen Garrett

产品管理高级总监

Owen is a senior member of the NGINX Product Management team, covering open source and commercial NGINX products. He holds a particular responsibility for microservices and Kubernetes‑centric solutions. He’s constantly amazed by the ingenuity of NGINX users and still learns of new ways to use NGINX with every discussion.

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。