CVE-2023-44487 in latest image #182

saipraveen88 · 2023-10-19T05:47:57Z

Hi,
We see that the CVE-2023-44487 is now being reported for the latest release of nginx-s3-gateway docker image in our security scan tool and were wondering if there is any configuration that can be used to fix or mitigate the vulnerability.

dekobon · 2023-10-24T23:29:35Z

Hi there,

My apologies for the late response. I believe this CVE is referencing HTTP/2 stream reset attacks. NGINX has a detailed blog post regarding the vulnerability here: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

As for this container image, it is not running in HTTP/2 mode by default. Additionally, with NGINX's default keepalive limit it is not affected by the type of attack detailed in the CVE. However, I believe that the latest NGINX version has added additional protections.

@4141done Can you look into upgrading the default NGINX version in the Dockerfile(s) as well as bumping the njs version?

…to newest versons

4141done added a commit that referenced this issue Oct 25, 2023

fix: fixes #182 update NGINX, NGINX Plus, NJS, and NGINX XSLT module …

eabd386

…to newest versons

4141done mentioned this issue Oct 25, 2023

update NGINX, NGINX Plus, NJS, and NGINX XSLT module to newest versions #184

Merged

4141done closed this as completed in #184 Oct 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-44487 in latest image #182

CVE-2023-44487 in latest image #182

saipraveen88 commented Oct 19, 2023 •

edited

Loading

dekobon commented Oct 24, 2023

CVE-2023-44487 in latest image #182

CVE-2023-44487 in latest image #182

Comments

saipraveen88 commented Oct 19, 2023 • edited Loading

dekobon commented Oct 24, 2023

saipraveen88 commented Oct 19, 2023 •

edited

Loading