An off-by-one error in ngx_resolver_copy() while processing DNS responses allows a network attacker to write a dot character ('.', 0x2E) out of bounds in a heap allocated buffer. The vulnerability can be triggered by a DNS response in reply to a DNS request from nginx when the resolver primitive is configured. A specially crafted packet allows overwriting the least significant byte of next heap chunk metadata with 0x2E. A network attacker capable of providing DNS responses to a nginx server can likely achieve remote code execution.
This flaw can be triggered only when `resolver` directive is used in the configuration file of nginx. This directive is used to configure name servers which are used to resolve names of upstream servers into addresses. When the directive is used, a malicious DNS server or an attacker who can intercept and modify the traffic from the DNS server to the nginx server, could trigger this flaw.
According to nginx documentation "To prevent DNS spoofing, it is recommended configuring DNS servers in a properly secured trusted local network.", however even in that case we cannot exclude internal attackers who could have access to the local network anyway. As this flaw could be abused by unauthenticated remote users to execute arbitrary code, I set the Impact to Important.
Function ngx_resolver_copy() in ngx_resolver.c decompress domain names in DNS messages, however it does not correctly consider the case when a compressed domain name is composed of one or more labels followed by a pointer to the root domain name. In that case it writes the character `.` after the allocated buffer.
The Quay container `quay/quay-rhel8` does package nginx however it is installed as an RPM from RHEL. As such quay is not accounted here because once the updated RHEL RPM is released the container will be respun.
Analysis is complete for Ansible components. Affected version of nginx are in use in AAP 1.2 and Tower 3.6 and 3.7. However, trackers will be created for AAP 1.2 and Tower 3.7 only as Tower 3.6 became EOL on 14th May 2021.
Looks like this went public before we expected. References: https://www.openwall.com/lists/oss-security/2021/05/25/5 http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html Upstream patch: https://nginx.org/download/patch.2021.resolver.txt
Created nginx tracking bugs for this issue: Affects: epel-7 [bug 1964821] Affects: fedora-all [bug 1964820]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2258 https://access.redhat.com/errata/RHSA-2021:2258
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23017
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2259 https://access.redhat.com/errata/RHSA-2021:2259
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:2278 https://access.redhat.com/errata/RHSA-2021:2278
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Red Hat Enterprise Linux 8.2 Extended Update Support Red Hat Enterprise Linux 8 Via RHSA-2021:2290 https://access.redhat.com/errata/RHSA-2021:2290
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.1 for RHEL 8 Via RHSA-2021:3653 https://access.redhat.com/errata/RHSA-2021:3653
This is fixed on 3scale-2.11, no minor release needed for 2.10, product decided.
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:3873 https://access.redhat.com/errata/RHSA-2021:3873
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Via RHSA-2021:3925 https://access.redhat.com/errata/RHSA-2021:3925
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618
Has this issue been addressed in the nginx:1.20 module stream for Red Hat Enterprise Linux 8?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0323 https://access.redhat.com/errata/RHSA-2022:0323