Cloud service providers remain vigilant – Nginx controller NATS vulnerability – CVE-2020-5910

Preface: Nginx was written specifically to address the performance limitations of Apache web servers

Background: In March 2019, Nginx Inc was acquired by F5 Networks for US$670 million. According to statistic on 2020. Nginx server deployed by “375 million websites. There are 1,500 paying customers.

Vulnerability detail : A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue. Please refer to the website for details – https://support.f5.com/csp/article/K59209532

Observation: The possible ways to exploit this vulnerability are as follows:
Refer to attached diagram, under such circumstances, design require ingress expose the cluster via a host port and also make it possible to advertise its public ip addresses.
A malicious user with access to the host where NGINX Controller is running on may eavesdrop on NATS connections and, thereby, gain unauthorized access data stored in the message queue.

Remedy: Upgrade to 3.6.0

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.