1. Vulnerability description
Recently, Nginx security has released several medium and high-risk vulnerabilities: CVE-2022-41741 (Memory Corruption) – CVSS score 7.1 (High), CVE-2022-41742 (Memory Disclosure) – CVSS score 7.0 (High), the above are: MP4 streaming media The vulnerability in the module (ngx_http_mp4_module) affects NGINX Plus, NGINX Open Source Edition, and NGINX Enterprise Edition.
1) Vulnerability: CVE-2022-41741
NGINX has a vulnerability in the ngx_http_mp4_module that could allow an attacker to compromise NGINX. Using a specially crafted mp4 file can damage the memory of the worker process (responsible for traffic processing), causing it to terminate or potentially have other effects. This issue only affects NGINX with the ngx_http_mp4_module module enabled and using the mp4 directive in the configuration file. Furthermore, the attack is only likely to be successful if the attacker is able to trigger the processing of specially crafted mp4 files using the ngx_http_mp4_module.
Related links: NGINX ngx_http_mp4_module
Impact: A successful exploit could allow a local attacker to compromise the NGINX worker process, causing it to terminate or potentially have other impact.
Fix Recommendations: It is strongly recommended that you upgrade your software to the latest version. Among them, the nginx-1.22.1 stable version and nginx-1.23.2 mainline version have been released, which include fixes for memory corruption and memory leaks in ngx_http_mp4_module (CVE-2022-41741, CVE-2022-41742)
Mitigation: The ngx_http_mp4_module module provides server-side support for pseudo-streaming of MP4 files, which typically use the .mp4 .m4v or .m4a file extensions. Click the jump parameter for more details ; by default, the NGINX open source version does not include the MP4 module, which must be enabled to be affected . The MP4 module is included by default with NGINX Plus. In summary, the mitigation measures are to only allow trusted users to publish audio and video files, or to disable the MP4 module in the NGINX configuration until a fixed version is upgraded.
2) Vulnerability: CVE-2022-41742
NGINX has a vulnerability in the ngx_http_mp4_module, which may allow an attacker to trigger the crash of the worker process, or cause a memory leak in the worker process by using a specially crafted mp4 file. This issue only affects NGINX with the ngx_http_mp4_module module enabled (not enabled by default) and using the .mp4 directive in the configuration file. Furthermore, the attack is only likely to be successful if the attacker is able to trigger the processing of specially crafted mp4 files using the ngx_http_mp4_module.
Related links: NGINX ngx_http_mp4_module
Impact: A successful exploit could allow an attacker to compromise the NGINX worker process, causing it to terminate or leak memory.
Mitigation: The ngx_http_mp4_module module provides server-side support for pseudo-streaming of MP4 files, which typically use the .mp4 .m4v or .m4a file extensions. For details, please see https://nginx.org/en/docs/http/ngx_http_mp4_module.html
Note: By default, the NGINX open source version does not include the MP4 module, and this module must be enabled to be affected. The MP4 module is included by default with NGINX Plus.
In summary, the mitigation measures are to only allow trusted users to publish audio and video files, or to disable the MP4 module in the NGINX configuration until a fixed version is upgraded.
3) Vulnerability: CVE-2022-41743
A vulnerability exists in the NGINX Plus module ngx_http_hls_module that could allow a local attacker to corrupt NGINX's worker process memory, causing it to crash or have other potential impact when using a specially crafted audio or video file. **This issue only affects NGINX Plus when the hls directive is used in the configuration file. **Additionally, the attack is only likely to be successful if the attacker can trigger the processing of specially crafted audio or video files using the module ngx_http_hls_module. The ngx_http_hls_module module provides HTTP streaming server-side support for MP4 and MOV media files. Such files usually have a filename extension of .mp4 .m4v .m4a .mov or .qt. The module supports H.264 video codec, AAC and MP3 audio codec. For details, please see: ngx_http_hls_module ;
Impact: A successful exploit could allow a local attacker to compromise the NGINX worker process, causing it to terminate or potentially have other impact.
Scope of impact: CVE-2022-41743 (Memory Corruption) – CVSS score 7.0 (High) The vulnerability in the HLS streaming module (ngx_http_hls_module) only affects NGINX Plus.
Repair suggestion: Disable the ngx_http_hls_module module and related configurations
Related links: NGINX ngx_http_mp4_module , CVE Search , Vulnerability Repair Reference
2. Repair processing
1) Vulnerability: CVE-2022-41741/2 fixed
1. Upgrade the Nginx version to version 1.23.2; for media installation, see: software download ;
yum -y install gcc gcc-c++ autoconf automake make pcre pcre-devel zlib zlib-devel
wget -k https://www.openssl.org/ source/openssl-1.1.1t.tar.gz --no-check-certificate
./config
make & make install
echo “/usr/local/lib64/” >> /etc/ld.so.conf
ldconfig
vim nginx-1.23 .4/auto/lib/openssl/conf #Modify
39 CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include"
40 CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h"
41 CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a"
42 CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a"
/configure --prefix=/usr/local/nginx --with-http_ssl_module --with-openssl=system
make & make install
usr/local/nginx/sbin/nginx -v
2、禁用ngx_http_mp4_module
2) Vulnerability: CVE-2022-41743 fixed
1. Disable the ngx_http_hls_module module and related configurations
2. Upgrade NGINX Plus to the latest version