Will upgrading the kernel of the proxy NGINX server be enough to prevent CVE-2017-6214 exploitation?
Our security department recently asked us to upgrade our servers in order to avoid possible attack caused by http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6214
Now, we have a lot of such servers, but all requests are proxied through one with NGINX. So, the question is, will it be enough to upgrade just this one?
As far as I understood, the vulnerability is present at the TCP level, if the TCP packages contain a special URG flag. Do I understand correctly, that NGINX works the following way as proxy:
- Receives TCP packages and combines them as the HTTP request.
- Chooses the appropriate back-end server to send it to.
- Sends the request, generating it's own TCP packages, that are safe, and don't contain any vulnerable info? Or this is not the case, and NGINX simply resends the TCP packages it received?
Solution 1:
Yes, when nginx is configured as a reverse proxy there is no direct TCP/IP connection between the clients and the back-end servers.
Nginx operates at layer 7 of the OSI model, the application layer and when it receives valid HTTP requests it will make it's own HTTP requests on behalf of clients to the appropriate back-end server. Remote clients can't manipulate what happens between nginx and the back-end servers at the TCP/IP level (layer 3/4 of the OSI model).