Undisclosed Requests Can Cause NGINX Worker Processes to Terminate
CVE-2024-24990

7.5HIGH

Key Information:

Vendor

F5
Status
Nginx Plus
Nginx Open Source
Vendor
CVE Published:
14 February 2024

Badges

๐Ÿ“ฐ News Worthy

What is CVE-2024-24990?

A vulnerability exists in NGINX Plus and NGINX OSS when the HTTP/3 QUIC module is enabled. This module, which is experimental and not enabled by default, can lead to undetermined requests that result in the termination of NGINX worker processes. This behavior can impact the stability and performance of applications relying on these server versions. Proper configurations and awareness of the module's current status are essential for maintaining service reliability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

NGINX Open Source 1.25.0 < 1.25.4

NGINX Plus R31

NGINX Plus R30

News Articles

favicon imagesecurityonline.info

NGINX Releases Urgent Patch for HTTP/3 Vulnerabilities (CVE-2024-24989, CVE-2024-24990)

NGINX has released an urgent patch to address 2 flaws (CVE-2024-24989, CVE-2024-24990) lurking within its experimental HTTP/3 implementation

References

https://my.f5.com/manage/s/article/K000138445
vendor-advisory
http://www.openwall.com/lists/oss-security/2024/05/30/4

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ“ฐ

    First article discovered by securityonline.info

  • Vulnerability published

  • Vulnerability Reserved

Credit

F5
JSON
.