I have VMware Skyline Health Diagnostics in my vCenter and we ran a nessus scan on it. It came back with this Vulnerability "nginx 0.6x<1.20.1 1-Byte Memory Overwrite RCE Vulnerability" How do I fix it? the 2 link in Nessus did not help
Description
Our Next Patch release will address the security issues, mean while you would suggest to run 'tdnf update -y' command in case SHD VM has internet access. This command will update all the OS packages to latest.
NGINX version will be updated in upcoming SHD patch release, mean while nginx can be updated using below command:
tdnf update nginx
This command will download and install latest nginx version as per date.
Thanks
Ashish
Hi Ashish,
can I upgrade SHD my version 2.0.5 to 3.0.0 with a .OVA? if so how?
thanks,
Lance
You can not upgrade SHD from 2.0.5 to 3.0.0 via OVA, but you can deploy new SHD 3.0.0 instance and can have you SHD 2.0.5 data migrated into it. For this just follow the instructions during OVA deployment and mention your old SHD instance details when asked for.
Please keep new SHD credentials same as old SHD credentials so that data migration will not be failed. You can change credentials later if needed.
You can follow steps mentioned in section "Migrating the Existing Skyline Health Diagnostics Deployment to Version 3.0 and above" in SHD release docs. Below is link to the same
Our Next Patch release will address the security issues, mean while you would suggest to run 'tdnf update -y' command in case SHD VM has internet access. This command will update all the OS packages to latest.
@araikwar "Our Next Patch release will address the security issues"
Today we have 05.04.2022 - I have just deployed new SHD and updated it to newest version 3.0.2
nginx -v
nginx version: nginx/1.16.1
SHD 3.0.2 Release Notes -->
It is still vulnerable 😉 So new Patch Release changed nothing.
You have to use fixed nginx version 1.17.7
We are talking about NGINX CVE-2021-23017 - Risk: High - CVSSv3.1 Base Score 8.1
Public exploit code for vulnerability #1 is available.
tdnf update -y is not a solution also. It doesn't update nginx ...
So after SHD Upgrade to the latest version and running "tdnf update -y" we are still on nginx version: nginx/1.16.1
This is crazy that VMware is releasing products with known exploited vulnerabilities.
Thanks baszek, I have opened a internal issue for fixing nginx issue, will update you when get it fixed.
Thanks for this info
@araikwar any updates ?
@araikwar I don't know what kind of drugs are you taking in VMware California - it's more than one year and still problem is not solved:
New in 3.0.3, June 2022 Release --> nginx version: nginx/1.16.1 === still not patched !!!!!!!!!!!!!!!!!!!!!!!!!