CVE-2022-29379
📋 TL;DR
This CVE describes a stack overflow vulnerability in Nginx NJS module loader that could allow remote code execution or denial of service. However, multiple sources dispute this affects released versions, suggesting it may only exist in development code. Systems using Nginx with NJS module could be affected if running vulnerable versions.
💻 Affected Systems
- Nginx NJS (JavaScript/TypeScript engine for Nginx)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains arbitrary code execution on the Nginx server with the privileges of the Nginx process, potentially leading to complete system compromise.
Likely Case
Denial of service causing Nginx to crash, disrupting web services. Code execution is less likely given disputed nature of vulnerability.
If Mitigated
Minimal impact if vulnerability doesn't exist in production releases as disputed, or if proper network segmentation and least privilege are implemented.
🎯 Exploit Status
Exploitation requires triggering the vulnerable module loader function. Limited information available due to disputed nature.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Development code fixed in commit ab1702c7af9959366a5ddc4a75b4357d4e9ebdc1
Vendor Advisory: https://github.com/nginx/njs/issues/491
Restart Required: Yes
Instructions:
1. Verify if NJS module is actually in use. 2. If using development/unreleased code, update to latest version. 3. For production releases (0.7.2-0.7.4), monitor official Nginx/NJS advisories as vulnerability is disputed.
🔧 Temporary Workarounds
Disable NJS Module
allIf NJS module is not required, disable it completely to eliminate attack surface
Remove or comment out 'load_module modules/ngx_http_js_module.so;' from nginx.conf
Remove 'js_include' and 'js_content' directives from configuration
Restrict Module Loading
allLimit which modules can be loaded if NJS is required
Configure strict module loading policies in nginx.conf
Use 'js_path' directive to restrict module search paths
🧯 If You Can't Patch
- Implement strict network controls to limit access to Nginx services
- Run Nginx with minimal privileges using non-root user and containerization
🔍 How to Verify
Check if Vulnerable:
Check NJS version: nginx -V 2>&1 | grep njs. Also verify if development/unreleased code is being used.Check Version:
nginx -V 2>&1 | grep njsVerify Fix Applied:
Verify NJS version is not development code with the vulnerability. Check git commit history if building from source.📡 Detection & Monitoring
Log Indicators:
- Nginx crashes or segmentation faults
- Unusual module loading attempts in error logs
- High memory usage spikes
Network Indicators:
- Unexpected requests to NJS module endpoints
- Traffic patterns suggesting exploit attempts
SIEM Query:
source="nginx" AND ("segmentation fault" OR "stack overflow" OR "module loader")🔗 References
- https://github.com/nginx/njs/commit/ab1702c7af9959366a5ddc4a75b4357d4e9ebdc1
- https://github.com/nginx/njs/issues/491
- https://github.com/nginx/njs/issues/493
- https://github.com/nginx/njs/commit/ab1702c7af9959366a5ddc4a75b4357d4e9ebdc1
- https://github.com/nginx/njs/issues/491
- https://github.com/nginx/njs/issues/493
