===================================================================                                 CERT-Renater

                      Note d'Information No. 2022/VULN396

_____________________________________________________________________

DATE                : 21/10/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NGINX Plus versions prior to
                                    R27 P1, R26 P1,
                NGINX Open Source versions prior to 1.23.2 (mainline),
                                     1.22.1 (stable),
         NGINX Open Source Subscription versions prior to R2 P1, R1 P1,
            NGINX Ingress Controller versions prior to 2.4.1, 1.12.5.

====================================================================https://www.nginx.com/blog/updating-nginx-for-vulnerabilities-in-the-mp4-and-hls-video-streaming-modules/
_____________________________________________________________________

Updating NGINX for Vulnerabilities in the MP4 and HLS Video-Streaming
Modules

Prabhat Dixit of F5
Principal Product ManagerOctober 19, 2022


Today, we are releasing updates to NGINX Plus, NGINX Open Source,
NGINX Open Source Subscription, and NGINX Ingress Controller in
response to recently discovered vulnerabilities in the NGINX
modules for video streaming with the MP4 and Apple HTTP Live
Streaming (HLS) formats, ngx_http_mp4_module and ngx_http_hls_
module. (NGINX Open Source Subscription is a specially packaged
edition of NGINX Open Source available in certain geographies.)

The vulnerabilities have been registered in the Common
Vulnerabilities and Exposures (CVE) database and the F5
Security Incident Response Team (F5 SIRT) has assigned scores
to them using the Common Vulnerability Scoring System (CVSS v3.1)
scale.

The following vulnerabilities in the MP4 module (ngx_http_mp4_module)
apply to NGINX Plus, NGINX Open Source, and NGINX Open Source
Subscription.

   CVE-2022-41741 (Memory Corruption) – CVSS score 7.1 (High)
   CVE-2022-41742 (Memory Disclosure) – CVSS score 7.0 (High)

The following vulnerability in the HLS module (ngx_http_hls_module)
applies to NGINX Plus only.

   CVE-2022-41743 (Memory Corruption) – CVSS score 7.0 (High)


Patches for these vulnerabilities are included in the following
software versions:

   NGINX Plus R27 P1
   NGINX Plus R26 P1
   NGINX Open Source 1.23.2 (mainline)
   NGINX Open Source 1.22.1 (stable)
   NGINX Open Source Subscription R2 P1
   NGINX Open Source Subscription R1 P1
   NGINX Ingress Controller 2.4.1
   NGINX Ingress Controller 1.12.5

All versions of NGINX Plus, NGINX Open Source, NGINX Open Source
Subscription, and NGINX Ingress Controller are affected. We
strongly recommend that you upgrade your NGINX software to the
latest version.

For NGINX Plus upgrade instructions, see Upgrading NGINX Plus
in the NGINX Plus Admin Guide. NGINX Plus customers can also
contact our support team for assistance at https://my.f5.com/.


========================================================+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=======================================================