The OpenSSL project announced fixes to seven security vulnerabilities on 5 June 2014. The details are described in their Security Advisory.
The vulnerabilities potentially affect any server application (including NGINX and NGINX Plus) that uses OpenSSL to terminate SSL/TLS traffic. They can be exploited to create a man‑in‑the‑middle (MitM) attack or a variety of denial‑of‑service (DoS) and data corruption issues:
The recommendation from the OpenSSL project is as follows:
OpenSSL 0.9.8 SSL/TLS users should upgrade to 0.9.8za.OpenSSL 1.0.0 SSL/TLS users should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users should upgrade to 1.0.1h.
NGINX and NGINX Plus builds provided by NGINX, Inc. (except those for Windows) or through a third‑party repository are usually dynamically linked to the operating system’s instance of libssl.so. Run the ldd
command to learn the full path to the libssl.so file and the strings
command to display the associated version number (in this case, it’s 1.0.1f):
$ ldd `which nginx` | grep ssllibssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f82e62bf000)
$ strings /lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep "^OpenSSL "
OpenSSL 1.0.1f 6 Jan 2014
Output on your system might look somewhat different. You can also run openssl
version
, although the output might not be reliable if there are several instances of OpenSSL on your server.
We strongly recommend that you upgrade to the most recent OpenSSL library provided by your operating system vendor, even if the earlier version you are running is not reported to be affected. Then restart the NGINX software to use the updated library. Check your vendor’s response to CVE-2014-0224 to determine the correct upgrade process. For your convenience, here are the links for Debian, Red Hat, and Ubuntu.
Please note that some Linux operating system vendors have released fixed packages that still bear an earlier OpenSSL version number, electing to include just the fix for CVE‑2014‑0224 and related vulnerabilities in their packages in order to provide a small update quickly.
If you have compiled NGINX yourself, you might have statically linked the OpenSSL libraries. In this case the output from ldd
does not reveal dependencies on the operating system libssl.so library. Run nginx
‑V
to display the compile‑time options you used:
$ ./objs/nginx -V
nginx version: nginx/1.7.1
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --with-cc-opt=-I../openssl-1.0.1f/include
--with-ld-opt='-L../openssl-1.0.1f -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic -ldl'
--with-openssl=../openssl-1.0.1f
If you are using a vulnerable version of OpenSSL, you need to recompile NGINX using a corrected version.
NGINX for Windows, as distributed by NGINX, is statically linked with OpenSSL. The currently available builds for 1.7.1 and 1.6.0 have been updated with the fixes to OpenSSL.
"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."