lancestorm3
Contributor
Contributor

Critical Vulnerability on SHD

Jump to solution

I have VMware Skyline Health Diagnostics in my vCenter and we ran a nessus scan on it.  It came back with this Vulnerability "nginx 0.6x<1.20.1 1-Byte Memory Overwrite RCE Vulnerability"  How do I fix it?  the 2 link in Nessus did not help

Description

According to its Server response header, the installed version of nginx is 0.6.18 prior to 1.20.1. It is, therefore, affected by a remote code execution vulnerability. A security issue in nginx resolver was identified, which might allow an unauthenticated remote attacker to cause 1-byte memory overwrite by using a specially crafted DNS response, resulting in worker process crash or, potentially, in arbitrary code execution.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
 
Solution
Upgrade to nginx 1.20.1 or later.
0 Kudos
1 Solution

Accepted Solutions
araikwar
VMware Employee
VMware Employee

Our Next Patch release will address the security issues, mean while you would suggest to run 'tdnf update -y' command in case SHD VM has internet access. This command will update all the OS packages to latest.

View solution in original post

0 Kudos
11 Replies
araikwar
VMware Employee
VMware Employee

NGINX version will be updated in upcoming SHD patch release, mean while nginx can be updated using below command:

tdnf update nginx

This command will download and install latest nginx version as per date.

Thanks

Ashish

0 Kudos
lancestorm3
Contributor
Contributor

Hi Ashish,

can I upgrade SHD my version 2.0.5 to 3.0.0 with a .OVA?  if so how?

thanks,

Lance

0 Kudos
araikwar
VMware Employee
VMware Employee

You can not upgrade SHD from 2.0.5 to 3.0.0 via OVA, but you can deploy new SHD 3.0.0 instance and can have you SHD 2.0.5 data migrated into it. For this just follow the instructions during OVA deployment and mention your old SHD instance details when asked for.

Please keep new SHD credentials same as old SHD credentials so that data migration will not be failed. You can change credentials later if needed.

0 Kudos
araikwar
VMware Employee
VMware Employee

You can follow steps mentioned in section "Migrating the Existing Skyline Health Diagnostics Deployment to Version 3.0 and above" in SHD release docs. Below is link to the same

https://docs.vmware.com/en/VMware-Skyline-Health-Diagnostics/services/Skyline-Health-Diagnostics/GUI...

0 Kudos
lancestorm3
Contributor
Contributor

I just created a new SHD 3.0.0 version but it has more vulnerabilities then the older versions.  Please look at the attachment.  is there anyway to fix these vulnerabilities?

0 Kudos
araikwar
VMware Employee
VMware Employee

Our Next Patch release will address the security issues, mean while you would suggest to run 'tdnf update -y' command in case SHD VM has internet access. This command will update all the OS packages to latest.

0 Kudos
baszek
Enthusiast
Enthusiast

@araikwar "Our Next Patch release will address the security issues"

Today we have 05.04.2022 - I have just deployed new SHD and updated it to newest version 3.0.2 

nginx -v
nginx version: nginx/1.16.1

 

SHD 3.0.2 Release Notes --> 

  • NGINX server has been updated to nginx-1.16.1-5.ph3. 

 

It is still vulnerable 😉 So new Patch Release changed nothing. 
You have to use fixed nginx version 1.17.7

 

We are talking about NGINX CVE-2021-23017 - Risk: High - CVSSv3.1 Base Score 8.1
Public exploit code for vulnerability #1 is available.

0 Kudos
baszek
Enthusiast
Enthusiast

tdnf update -y is not a solution also. It doesn't update nginx ... 
So after SHD Upgrade to the latest version and running "tdnf update -y" we are still on nginx version: nginx/1.16.1
This is crazy that VMware is releasing products with known exploited vulnerabilities. 

0 Kudos
araikwar
VMware Employee
VMware Employee

Thanks baszek, I have opened a internal issue for fixing nginx issue, will update you when get it fixed.

0 Kudos
BigMike23
Enthusiast
Enthusiast

Thanks for this info

0 Kudos
baszek
Enthusiast
Enthusiast

@araikwar any updates ? 

0 Kudos