CVEs against Nginx 1.22

[gburton1@…]

Our Twislock scanner is picking up a large number of CVEs against the latest version of Nginx, as well as the official Nginx Docker image for that version. Is there any plan to address these, or have some been deemed to be false positives?

There was no option to select version 1.22 in the dropdown, so I selected the latest (1.19).

Here are the results of the scan report:

nginx 1.22 debian-bullseye CVE-2016-2781 coreutils 8.32-4 chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal\'s input buffer.

nginx 1.22 debian-bullseye CVE-2013-0337 nginx 1.22.0-1~bullseye The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable permissions for the (1) access.log and (2) error.log files, which allows local users to obtain sensitive information by reading the files.

nginx 1.22 debian-bullseye CVE-2020-36309 nginx 1.22.0-1~bullseye ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

nginx 1.22 debian-bullseye CVE-2021-3618 nginx 1.22.0-1~bullseye ALPACA is an application layer protocol content confusion attack, exploiting TLS servers implementing different protocols but using compatible certificates, such as multi-domain or wildcard certificates. A MiTM attacker having access to victim\'s traffic at the TCP/IP layer can redirect traffic from one subdomain to another, resulting in a valid TLS session. This breaks the authentication of TLS and cross-protocol attacks may be possible where the behavior of one protocol service may compromise the other at the application layer.

nginx 1.22 debian-bullseye CVE-2021-33560 libgcrypt20 1.8.7-6 Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.

nginx 1.22 debian-bullseye CVE-2022-27404 libfreetype6 freetype 2.10.4+dfsg-1 FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

nginx 1.22 debian-bullseye CVE-2022-27405 libfreetype6 freetype 2.10.4+dfsg-1 FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

nginx 1.22 debian-bullseye CVE-2022-27406 libfreetype6 freetype 2.10.4+dfsg-1 FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

nginx 1.22 debian-bullseye CVE-2021-4209 libgnutls30 gnutls28 3.7.1-5 DOCUMENTATION: A NULL pointer dereference flaw was found in GnuTLS. As Nettle\'s hash update functions internally call memcpy, providing zero-length input may cause undefined behavior. This flaw leads to a denial of service after authentication in rare circumstances. STATEMENT: According to the analysis on the upstream issue, this flaw has been rated as having a security impact of Low. MITIGATION: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

nginx 1.22 debian-bullseye CVE-2022-2068 libssl1.1,openssl openssl 1.1.1n-0+deb11u2 In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
nginx 1.22 debian-bullseye CVE-2022-1587 libpcre2-8-0 pcre2 10.36-2 An out-of-bounds read vulnerability was discovered in the PCRE2 library in the get_recurse_data_length() function of the pcre2_jit_compile.c file. This issue affects recursions in JIT-compiled regular expressions caused by duplicate data transfers.
nginx 1.22 debian-bullseye CVE-2022-1586 libpcre2-8-0 pcre2 10.36-2 An out-of-bounds read vulnerability was discovered in the PCRE2 library in the compile_xclass_matchingpath() function of the pcre2_jit_compile.c file. This involves a unicode property matching issue in JIT-compiled regular expressions. The issue occurs because the character was not fully read in case-less matching within JIT.
nginx 1.22 debian-bullseye CVE-2022-29458 libncursesw6,libtinfo6,ncurses-bin,ncurses-base ncurses 6.2+20201114-2 ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.

nginx 1.22 debian-bullseye CVE-2019-8457 libdb5.3 db5.3 5.3.28+dfsg1-0.8 SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.

nginx 1.22 debian-bullseye CVE-2021-3999 libc-bin,libc6 glibc 2.31-13+deb11u3 The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es): * glibc: Off-by-one buffer overflow/underflow in getcwd() (CVE-2021-3999) * glibc: Stack-based buffer overflow in svcunix_create via long pathnames (CVE-2022-23218) * glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname (CVE-2022-23219) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

nginx 1.22 debian-bullseye CVE-2021-36084 libsepol1 libsepol 3.1-1 The CIL compiler in SELinux 3.2 has a use-after-free in cil_verify_classperms (called from cil_verify_classpermission and cil_pre_verify_helper).

nginx 1.22 debian-bullseye CVE-2021-36085 libsepol1 libsepol 3.1-1 The CIL compiler in SELinux 3.2 has a use-after-free in cil_verify_classperms (called from verify_map_perm_classperms and hashtab_map).

nginx 1.22 debian-bullseye CVE-2021-36086 libsepol1 libsepol 3.1-1 The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).

nginx 1.22 debian-bullseye CVE-2021-36087 libsepol1 libsepol 3.1-1 The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.

nginx 1.22 debian-bullseye CVE-2021-38115 libgd3 libgd2 2.3.0-2 read_header_tga in gd_tga.c in the GD Graphics Library (aka LibGD) through 2.3.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TGA file.

nginx 1.22 debian-bullseye CVE-2021-40812 libgd3 libgd2 2.3.0-2 The GD Graphics Library (aka LibGD) through 2.3.2 has an out-of-bounds read because of the lack of certain gdGetBuf and gdPutBuf return value checks.

nginx 1.22 debian-bullseye CVE-2022-1210 libtiff5 tiff 4.2.0-1+deb11u1 A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

nginx 1.22 debian-bullseye CVE-2022-1354 libtiff5 tiff 4.2.0-1+deb11u1 DOCUMENTATION: No description is available for this CVE.

nginx 1.22 debian-bullseye CVE-2022-1355 libtiff5 tiff 4.2.0-1+deb11u1 DOCUMENTATION: No description is available for this CVE.

nginx 1.22 debian-bullseye CVE-2022-1622 libtiff5 tiff 4.2.0-1+deb11u1 LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:619, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

nginx 1.22 debian-bullseye CVE-2022-1623 libtiff5 tiff 4.2.0-1+deb11u1 LibTIFF master branch has an out-of-bounds read in LZWDecode in libtiff/tif_lzw.c:624, allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit b4e79bfa.

nginx 1.22 debian-bullseye CVE-2021-22947 libcurl4,curl curl 7.74.0-1.3+deb11u1 When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got *before* the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker\'s injected data comes from the TLS-protected server.
nginx 1.22 debian-bullseye CVE-2021-22898 libcurl4,curl curl 7.74.0-1.3+deb11u1 curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.
nginx 1.22 debian-bullseye CVE-2021-22946 libcurl4,curl curl 7.74.0-1.3+deb11u1 A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network.

nginx 1.22 debian-bullseye CVE-2021-22945 libcurl4,curl curl 7.74.0-1.3+deb11u1 When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 could in some circumstances erroneously keep a pointer to an already freed memory area and both use that again in a subsequent call to send data and also free it *again*.

nginx 1.22 debian-bullseye CVE-2021-22924 libcurl4,curl curl 7.74.0-1.3+deb11u1 libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \'issuercert\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\'t include the \'issuer cert\' which a transfer can setto qualify how to verify the server certificate.

nginx 1.22 debian-bullseye CVE-2022-22576 libcurl4,curl curl 7.74.0-1.3+deb11u1 An improper authentication vulnerability exists in curl 7.33.0 to and including 7.82.0 which might allow reuse OAUTH2-authenticated connections without properly making sure that the connection was authenticated with the same credentials as set for this transfer. This affects SASL-enabled protocols: SMPTP(S), IMAP(S), POP3(S) and LDAP(S) (openldap only).

nginx 1.22 debian-bullseye CVE-2022-27782 libcurl4,curl curl 7.74.0-1.3+deb11u1 libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily.

nginx 1.22 debian-bullseye CVE-2022-27775 libcurl4,curl curl 7.74.0-1.3+deb11u1 An information disclosure vulnerability exists in curl 7.65.0 to 7.82.0 are vulnerable that by using an IPv6 address that was in the connection pool but with a different zone id it could reuse a connection instead.

nginx 1.22 debian-bullseye CVE-2022-27781 libcurl4,curl curl 7.74.0-1.3+deb11u1 libcurl provides the CURLOPT_CERTINFO option to allow applications torequest details to be returned about a server\'s certificate chain.Due to an erroneous function, a malicious server could make libcurl built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.

nginx 1.22 debian-bullseye CVE-2022-27776 libcurl4,curl curl 7.74.0-1.3+deb11u1 A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or cookie header data on HTTP redirects to the same host but another port number.

nginx 1.22 debian-bullseye CVE-2022-27774 libcurl4,curl curl 7.74.0-1.3+deb11u1 An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with authentication could leak credentials to other services that exist on different protocols or port numbers.

nginx 1.22 debian-bullseye CVE-2020-16156 libperl5.32,perl-base,perl-modules-5.32,perl perl 5.32.1-4+deb11u2 CPAN 2.28 allows Signature Verification Bypass.

nginx 1.22 debian-bullseye CVE-2021-46822 libjpeg62-turbo libjpeg-turbo 1:2.0.6-4 The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoadImage for loading a 16-bit binary PPM file into a grayscale buffer and loading a 16-bit binary PGM file into an RGB buffer. This is related to a heap-based buffer overflow in the get_word_rgb_row function in rdppm.c.

nginx 1.22 debian-bullseye CVE-2022-1304 libcom-err2,libss2,libext2fs2,logsave,e2fsprogs e2fsprogs 1.46.2-2 An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5. This issue leads to a segmentation fault and possibly arbitrary code execution via a specially crafted filesystem.

nginx 1.22 debian-bullseye Image should be created with a non-root user Image should be created with a non-root user

[thresh]

Hello!

For Docker images we rely on distributions vendors to provide timely updates to fix CVEs. Once in a while the images will get rebuilt (either on a new release of NGINX, or when the vendor updates the underlying image), and CVE fixes if any would be incorporated in the images we provide.

Some of the CVEs as found by your scanner are false positives too, since they don't apply to the packages we ship (e.g. there is no lua, and we're not affected by CVE-2013-0337). You should contact the scanner authors to let them know about the issues with their tool or maybe just mark as false positives on your end.

Let's go through some of the issues mentioned:

• CVE-2016-2781: ​https://security-tracker.debian.org/tracker/CVE-2016-2781 says it is minor and is not fixed in Bullseye. So when we move to Bookworm (no ETA, when it's released) it might get fixed.
• CVE-2013-0337: ​https://security-tracker.debian.org/tracker/CVE-2013-0337 not applicable for nginx.org-provided packages
• CVE-2020-36309: ​https://security-tracker.debian.org/tracker/CVE-2020-36309 not applicable, since we don't ship lua
• CVE-2021-3618: ​https://security-tracker.debian.org/tracker/CVE-2021-3618 fixed a long time ago
• CVE-2021-33560: ​https://security-tracker.debian.org/tracker/CVE-2021-33560 not fixed in Debian

You can consult Debian's security tracker for more information on other mentioned CVEs; also consider moving to alpine-based images since they provide a different set of packages and might have mentioned CVEs fixed; also consider the applicability of mentioned CVEs to your usecase - e.g. a fault in libext2fs (CVE-2022-1304) is highly unlikely to manifest an issue for nginx running in a container since it requires a manually crafted filesystem.