Update Nginx version to 1.20.1 or 1.21.0, risk=Critical

[kencho51]

Additional info

CVE-2019-20372

[rija]

From @pli888, Nginx configuration on production server:

nginx.conf:

user nginx;
worker_processes  40;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log  /var/log/nginx/access.log;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    keepalive_timeout  300;

    gzip  on;
    gzip_http_version 1.0;
    gzip_comp_level 2;
    gzip_proxied any;
    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;

    ssl_prefer_server_ciphers on;
    ssl_ciphers               'AESGCM+ECDH AESGCM+DH FIPS+ECDH FIPS+DH FIPS !aNULL';
    ssl_session_cache         shared:SSL:10m;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;

    client_max_body_size 1M;

    log_format json '{'
        '"remote_addr": "$remote_addr",'
        '"remote_user": "$remote_user",'
        '"time_local": "$time_local",'
        '"request": "$request",'
        '"status": "$status",'
        '"body_bytes_sent": "$body_bytes_sent",'
        '"http_referer": "$http_referer",'
        '"http_user_agent": "$http_user_agent"'
    '}';

    types_hash_max_size 1024;
    server_names_hash_bucket_size 64;

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

gigadb.conf:

server {
    listen      80;
    server_name localhost 192.168.208.73;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    root        /var/www/hosts/localhost/htdocs;
    access_log  /var/www/hosts/localhost/logs/access.log;
    error_log   /var/www/hosts/localhost/logs/error.log;
    sendfile    on;
    keepalive_timeout  65;
    tcp_nodelay     on;

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
    }

    location ~ \.php$ {
        include       fastcgi_params;
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_connect_timeout 300;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_buffer_size 64k;
        fastcgi_buffers 4 64k;
        fastcgi_busy_buffers_size 128k;
        fastcgi_temp_file_write_size 128k;
        try_files $uri =404;
    }
    location / {
        index index.php index.html;
        try_files $uri $uri/ /index.php?$args;
    }
    include /etc/nginx/agent_deny.conf;

[rija]

@kencho51, @pli888,

The CVE notice in the description links to a PDF explaining the vulnerability, the conditions under which it happens, and the mitigations:

• https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf

According to that paper, and based on the configuration shown in my previous comment, the Nginx setup on the production server on BGI infrastructure is not vulnerable to the issue described in the CVE. This is because:

• we do not make use of the error_log syntax that change an error page into a redirection
• that Nginx deployment is not behind a load balancer, nor used as part of Kubernetes

Therefore, it's not critical, and it's not worth the considerable effort to upgrade Nginx on that server

(even if we were vulnerable to it - which we are not - , changing the configuration as described in the mitigations section of that paper would have been enough without needing an update to Nginx)

I reckon there is nothing more to be done here, and the ticket can be closed.