Serious vulnerabilities have been identified within nginx server when the nJS module is enabled. These vulnerabilities could be exploited by an attacker to execute code on the server, potentially leading to a complete compromise of the server environment.
The nginx server is behind approximately 30% of the world’s websites and while it has had its share of bugs and security updates, no serious exploits have been published for nginx so far.
New nginx Security Research
That may be set to change after a number of vulnerabilities were privately reported by an independent security researcher, Alisa Esage. The most serious of which may enable an attacker to run their own code on the underlying server, potentially compromising the entire server environment including applications on the server and the databases they interact with.
The severity of these vulnerabilities and the significant market share of nginx mean that these bugs are likely to attract a lot of attention both from security companies looking to improve defenses and protections, and from criminal hackers looking to attack affected servers. It may only be a matter of time before working exploit code is produced and published.
The nginx team have yet to publish an official security advisory.
What Can You Do?
The nginx team have reportedly fixed one of the vulnerabilities in nJS version 0.3.2 and a further fix will be included in version 0.3.3 so it is important to update your servers and ensure that future updates are installed as they become available. The command
njs -v can be used to determine the version of nJS installed on a server as shown in the following screenshot.
We recommend ensuring that you have a software patching policy and process in place so that security updates are applied in a timely manner. This should apply to all software on all systems including servers and workstations. A backup policy and process should also be in place to ensure that systems can be restored quickly in the event of a compromise.
Regular vulnerability scanning of your IT environment helps to ensure that you will be alerted whenever systems become affected by security vulnerabilities.