A vulnerability scanner has flagged nginx version 1.8.1 as vulnerable. To resolve, nginx version 1.20.1 or 1.21.0 need to be installed. Is this something that will break the current librenms install?
Validate and daily are both up to date, no errors. I’ve also ran apt-get update and apt-get upgrade and everything has been updated.
The OS is Ubuntu 20.04.3 LTS
Any assistance with updating to nginx to 1.20.1 or 1.21.0 is appreciated.
Thanks.
nginx has no affect on LibreNMS at all, you can use any webserver you like.
Thanks, I just followed the tutorial and used defaults/what the tutorial listed. I have no clue how I’d remove nginx in favor of something else, I don’t want to break the web GUI. If you can provide instructions on how to update nginx or migrate to another web server, that would be appreciated. If not, then this thread can be deleted.
I’m also running Ubuntu 20.04.3 LTS (Focal Fossa) on my LibreNMS server.
If you have version 1.8.1 of nginx installed on yours you either mistyped the version number or you have not updated ubuntu in a long time ??
dpkg -l | grep nginx
ii libnginx-mod-http-auth-pam 1.18.0-0ubuntu1.2 amd64 PAM authentication module for Nginx
ii libnginx-mod-http-dav-ext 1.18.0-0ubuntu1.2 amd64 WebDAV missing commands support for Nginx
ii libnginx-mod-http-echo 1.18.0-0ubuntu1.2 amd64 Bring echo and more shell style goodies to Nginx
ii libnginx-mod-http-geoip 1.18.0-0ubuntu1.2 amd64 GeoIP HTTP module for Nginx
ii libnginx-mod-http-geoip2 1.18.0-0ubuntu1.2 amd64 GeoIP HTTP module for Nginx
ii libnginx-mod-http-image-filter 1.18.0-0ubuntu1.2 amd64 HTTP image filter module for Nginx
ii libnginx-mod-http-subs-filter 1.18.0-0ubuntu1.2 amd64 Substitution filter module for Nginx
ii libnginx-mod-http-upstream-fair 1.18.0-0ubuntu1.2 amd64 Nginx Upstream Fair Proxy Load Balancer
ii libnginx-mod-http-xslt-filter 1.18.0-0ubuntu1.2 amd64 XSLT Transformation module for Nginx
ii libnginx-mod-mail 1.18.0-0ubuntu1.2 amd64 Mail module for Nginx
ii libnginx-mod-stream 1.18.0-0ubuntu1.2 amd64 Stream module for Nginx
ii nginx-common 1.18.0-0ubuntu1.2 all small, powerful, scalable web/proxy server - common files
ii nginx-full 1.18.0-0ubuntu1.2 amd64 nginx web/proxy server (standard version)
So dist-upgrade your ubuntu installation first of all…
Something to keep in mind is that it’s quite normal for distribution provided versions of packages to not be the “latest” version for stability reasons, (this is especially true on Debian derived distributions like Ubuntu which are very conservative) however they will backport security fixes from the latest versions if necessary or use older but still maintained branches of software.
So the latest official version of nginx is 1.20.1 and the latest version in Ubuntu LTS is 1.18.0-0ubuntu1.2, however this is NOT the same as vanilla nginx 1.18.0, this is a custom build with either Debian or Ubuntu authored backports of critical security fixes from later versions of nginx.
For some projects like PHP the PHP developers maintain multiple branches at once - for example 8.0.12 is the latest bugfix/security fix version of PHP 8 while 7.4.25 is the latest bugfix/security fix version of the 7.4 branch. If vulnerabilities are found both branches will receive fixes, so you don’t need to be on version 8 to be secure.
I don’t know whether nginx follows the same development model of multiple maintained branches as I don’t know much about ngix, however in either case the distribution provided versions will either be kept up to date or fixes will be backported by the package maintainers.
In short as long as your nginx installation is from apt not compiled from source or downloaded as a tar, dist-upgrade your system to get the latest ubuntu provided version and you will have a version that is patched against the vulnerability, even if the version number is lower than the minimum fixed version on the nginx website.
If your “vulnerability scanner” is just testing the version number and looking for official nginx builds it will not accurately reflect whether you are patched or not when you are using distribution specific custom builds of software.
If you want to be sure check the security news for Ubuntu for the nginx packages and there should be something about the necessary fixes being put in place. Unless the vulnerability is less than a few days old the latest version of the Ubuntu packages should have a fix.
Yes, I may have typo’ed 18 for 8, I will check and report back. I have ran apt-get update and upgrade and the OS is running the latest after running those two commands.
Thanks for the detailed post.
If you want to be sure check the security news for Ubuntu for the nginx packages and there should be something about the necessary fixes being put in place. Unless the vulnerability is less than a few days old the latest version of the Ubuntu packages should have a fix.
The vulnerability is new, network devices/servers/etc are scanned weekly and this was reported about two weeks ago. I will take your advice about checking the security news for ubuntu nginx package.
Do you have a CVE number for the “new” vulnerability in nginx ?
Here are the list of publicly disclosed vulnerabilities:
http://nginx.org/en/security_advisories.html
The only one listed in the last 2 years is CVE-2021-23017, this was disclosed on May 25th 2021, eg about 6 months ago:
http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
The current version of nginx package in Ubuntu 20.04.3 LTS which was already installed on my system is 1.18.0-0ubuntu1.2, which was released one day after this on May 26th:
https://launchpad.net/ubuntu/+source/nginx/1.18.0-0ubuntu1.2
You’ll note in the description for this security update that it specifically addresses CVE-2021-23017 even though the version is not 1.20.1 or 1.21.0.
In other words they have backported the fix to version 1.18.0. Given how trivial the fix is it would have been very easy for them to do this:
http://nginx.org/download/patch.2021.resolver.txt
In short, if you have done a dist-upgrade on your Ubuntu system any time since May 26th you are already protected against this particular issue, so nothing to worry about - they had this particular problem patched within one day of disclosure.
If you are already updated and your “vulnerability scanner” is still flagging it as vulnerable it is a false positive. I’d be curious to know what vulnerability scanner you’re using which is reporting this.
I did have a typo, the version is 1.80.0 and I have updated the OS, it was done just before submitting this thread. The CVE is 2021-23017. I’m going to read the info in those links regarding the fix, thanks.
I don’t know which scanner is being used, but I know it is a popular scanner. It seems that the results from the scanner match what is shown on this page, https://www.nginx.com/blog/updating-nginx-dns-resolver-vulnerability-cve-2021-23017/
Specifically these bullet points
NGINX Open Source 1.20.1 (stable)
NGINX Open Source 1.21.0 (mainline)
Until the scanner shows that librenms is running nginx 1.20.1 or 1.21.0 the scan will still flag it as vulnerable even though the fix is in place (if the OS is fully updated, which it is).
In that case the scanner you’re using is pretty much useless I’m afraid if it’s simply looking for and failing to find version 1.20.1 or 1.21.0.
It’s standard practice for most Linux distributions to provide older but stable versions of software such as nginx (especially Debian derivatives like Ubuntu) in their package library - when an exploitable security vulnerability is found and a security fix is released by the nginx developers Debian/Ubuntu don’t just jump to the latest version if they are on an older branch, they backport (incorporate) the specific patches that fix the security hole into the version that they are currently providing if at all possible.
Were they to jump from 1.18.0 to 1.20.1 just for a minor security patch it’s likely they’d break more than they fix as there could be all kinds of other changes between the two versions and Debian stable doesn’t like to break anything - they are very conservative about moving to newer versions of anything other than for security fix reasons.
In this example the patch is trivial and only affects a few lines of code. So 1.18.0-0ubuntu1.2 includes the security fix that was released in version 1.20.1 and 1.21.0 by the nginx developers. This is not the same as the “vanilla” 1.18.0 release directly from nginx and probably already has other departures from that code version.
If that vulnerability scanner was any good it would have a list of all the Linux distribution provided versions of nginx and whether they are vulnerable or fixed but apparently it doesn’t do that.
If that vulnerability scanner was any good it would have a list of all the Linux distribution provided versions of nginx and whether they are vulnerable or fixed but apparently it doesn’t do that.
Maybe it does, I’m not sure, I can try to find out.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.