000033192 - Open Source Packages nginx Vulnerabilities in RSA Web Threat Detection

Document created by RSA Customer Support Employee on Oct 5, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033192
Applies ToRSA Product Set: Web Threat Detection
RSA Product/Service Type: Mitigator
RSA Version/Condition: 5.1 --> 6.0
IssueThe package RSA WTD (silvertail) uses several open source packages.
A customer may detect vulnerabilities in the version 5.1x.
The scan may suggest versions certified for RSA WTD
RSA WTD version 5.x uses        Required version
Nginx 1.0.15-12                                    1.8.1
nginx is an HTTP server, reverse proxy, and mail proxy server. nginx is prone to the following security vulnerabilities:
  1. nginx is prone to a denial-of-service vulnerability. Specifically, this issue occurs because invalid pointer dereference in resolver.[CVE-2016-0742] 
  2. nginx is prone to a denial-of-service vulnerability because use-after-free in resolver during CNAME response processing. [CVE-2016-0746]
  3. nginx is prone to a denial-of-service vulnerability. Specifically, this issue occurs because insufficient limits of CNAME resolution in resolver. [CVE-2016- 0747] Attackers can exploit these issues to cause denial-of-service conditions.
ResolutionThis issue has been submitted to Product Security report PSRC-3552 and a Jira WTD-5127 
From this work, it was determined by the Web Threat Detection core team that the nginx server needs to be replaced with version 1.9.10 or the latest stable release.
The next WTD version, which has a planned release for the end of October 2016, will contain the newer nginx release and the vulnerabilities will be resolved. 
NotesThe WTD R&D team notes -- 
  • We want to stress that WTD is not customer facing.
  • WTD is not deployed on the DMZ or any other areas accessible from outside, i.e. no traffic to/from WTD leaves a safe perimeter.
  • It is actually accessed by a few security/threat analysts and the system admin.
  • The risk that a malicious user will attack WTD and the system will be crashed is rather low.
  • NGINX provides no patches for these issues, but recommends to upgrade to 1.9.10 version.
  • From our point of view current situation is not dangerous enough to require an immediate action.
  • Upgrading to a new nginx version is not appropriate for current WTD 6.0 implementations as it require changes in installation and deployment processes.  This may cause unknown side effects.