NGINX.COM

Today we are releasing updates to NGINX Open Source, NGINX Plus, and NGINX Ingress Controller in response to a recently discovered low‑severity vulnerability in the NGINX implementation of DNS resolution. For full details and mitigation instructions, see the F5 Security Advisory about CVE-2021-23017.

The F5 Security Incident Response Team (SIRT) has assigned the vulnerability a score of 3.7 (Low) on the Common Vulnerability Scoring System (CVSS v3.1) scale. NGINX Engineering has assigned it a score of Medium on its internal scale to be consistent with prior vulnerabilities of similar severity.

The patch for this vulnerability is included in the following software versions:

  • NGINX Open Source 1.20.1 (stable)
  • NGINX Open Source 1.21.0 (mainline)
  • NGINX Plus R23 P1
  • NGINX Plus R24 P1

The following versions of NGINX Ingress Controller include the indicated patched versions of NGINX Open Source and NGINX Plus:

  • NGINX Ingress Controller 1.11.2 – NGINX Plus R23 P1
  • NGINX Ingress Controller 1.11.3 – NGINX Open Source 1.21.0 and NGINX Plus R23 P1

We recommend that you upgrade NGINX Open Source, NGINX Plus, and NGINX Ingress Controller to the latest versions.

For NGINX Plus upgrade instructions, see Upgrading NGINX Plus in the NGINX Plus Admin Guide. NGINX Plus customers can also contact our support team for assistance at https://my.f5.com/.

This vulnerability was discovered and responsibly disclosed to us by Luis Merino, Eric Sesterhenn, and Markus Vervier of X41 D‑Sec GmbH.

Hero image
免费白皮书:
NGINX 企阅版全解析

助力企业用户规避开源治理风险,应对开源使用挑战

关于作者

Liam Crilly

产品管理高级总监

关于 F5 NGINX

F5, Inc. 是备受欢迎的开源软件 NGINX 背后的商业公司。我们为现代应用的开发和交付提供一整套技术。我们的联合解决方案弥合了 NetOps 和 DevOps 之间的横沟,提供从代码到用户的多云应用服务。访问 nginx-cn.net 了解更多相关信息。