Login Sign Up

CVE-2021-46462

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-46462 is a segmentation fault vulnerability in njs (NGINX JavaScript) through version 0.7.1. This vulnerability could allow an attacker to crash NGINX processes via specially crafted JavaScript code, potentially leading to denial of service. Organizations using NGINX with njs enabled are affected.

💻 Affected Systems

Products:
  • NGINX with njs module
  • NGINX Plus with njs module
Versions: njs versions through 0.7.1
Operating Systems: All operating systems running affected njs versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if njs module is explicitly enabled and configured in NGINX. Default NGINX installations without njs are not affected.

📦 What is this software?

Njs by F5

View all CVEs affecting Njs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete NGINX service disruption through repeated crashes, causing extended denial of service for web applications.

🟠

Likely Case

Intermittent NGINX worker process crashes leading to temporary service interruptions and degraded performance.

🟢

If Mitigated

Minimal impact with proper monitoring and automatic process restart mechanisms in place.

🌐 Internet-Facing: HIGH - NGINX is commonly internet-facing and attackers can trigger the vulnerability remotely if njs is enabled.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to disrupt internal services using NGINX with njs.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted JavaScript to trigger the segmentation violation. No authentication needed if njs endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: njs 0.7.2 and later

Vendor Advisory: https://github.com/nginx/njs/commit/39e8fa1b7db1680654527f8fa0e9ee93b334ecba

Restart Required: Yes

Instructions:

1. Update njs to version 0.7.2 or later. 2. Recompile NGINX with updated njs module if using source build. 3. Restart NGINX service. 4. For package managers: use appropriate update command for your distribution.

🔧 Temporary Workarounds

Disable njs module

all

Remove or disable njs module configuration in NGINX if not required

# Comment out or remove njs-related directives in nginx.conf
# Remove 'js_include' and 'js_content' directives

Restrict njs endpoint access

all

Limit access to endpoints that process njs JavaScript

# Add access controls in nginx location blocks
location /js-endpoint {
    allow trusted_ips;
    deny all;
}

🧯 If You Can't Patch

  • Implement rate limiting on njs endpoints to reduce attack surface
  • Deploy monitoring for NGINX process crashes and implement automatic restart

🔍 How to Verify

Check if Vulnerable:

Check njs version: njs -v or examine NGINX configuration for njs module usage

Check Version:

njs -v

Verify Fix Applied:

Verify njs version is 0.7.2 or later: njs -v

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault errors in NGINX error logs
  • Worker process crashes with signal 11 (SIGSEGV)
  • Increased frequency of worker process restarts

Network Indicators:

  • Unusual patterns of requests to njs endpoints
  • Sudden service interruptions followed by NGINX restarts

SIEM Query:

source="nginx_error.log" AND "segmentation fault" OR "signal 11"

📊 Metadata

CVE ID: CVE-2021-46462
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: February 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON