今天收到收到腾讯云的服务器报警:
Nginx HTTP/2 模块安全漏洞 (CVE-2019-9511等)
漏洞标签 远程利用
漏洞类型 应用漏洞
威胁等级 高危
CVE编号 CVE-2019-9511/CVE-2019-9513/CVE-2019-9516
披露时间 2020-09-14
漏洞描述
漏洞存在于ngx_http_v2_module模块之中(默认情况下不编译,编译时需要开启–with-http_v2_module,同时将listen http2添加到配置文件中),当用户添加http2支持时,攻击者可以发送特制的HTTP/2请求,可能导致过多的CPU使用率(CVE-2019-9511,CVE-2019-9513)和内存消耗(CVE-2019-9516),最终导致服务器DoS。
nginx 在高版本中已经修复此漏洞,解决方案:将 nginx升级到高版本。
OpenCloudOS
对于这台服务器:
1
2
$ cat /etc/redhat-release
OpenCloudOS release 8.6.2205 (Core)
OpenCloudOS 是国内OpenCloudOS社区维护的一个开源 Linux 版本,其兼容 CentOS 8,因此可以当做 CentOS8 使用。
由于本机的软件源较旧,无法直接通过 yum update 升级nginx,因此参考 nginx 官网的说明配置软件源,升级 nginx,
编辑 /etc/yum.repos.d/nginx.repo 文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
升级 nginx:
1
$ yum update -y nginx
检查版本:
1
2
$ nginx -v
nginx version: nginx/1.24.0
升级成功!
测试:
1
2
3
$ nginx -t
nginx: [emerg] module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so" version 1014001 instead of 1024000 in /usr/share/nginx/modules/mod-http-image-filter.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
有模块不兼容。
重新安装模块
1
2
$ yum remove -y nginx-mod*
$ yum install -y nginx-module-*
再次 nginx -t ok。
重新加载 nginx 配置文件:
1
$ nginx -s reload
TencentOS Server
对于下面这台服务器:
1
2
$ cat /etc/redhat-release
TencentOS Server release 3.1 (Final)
不能直接使用上面 /etc/yum.repos.d/nginx.repo 的配置文件,因为不存在 $releasever 为 3.1 的版本,直接使用会出现这个错:
1
2
3
4
5
$ yum update -y nginx
nginx stable repo 3.2 kB/s | 3.3 kB 00:01
Errors during downloading metadata for repository 'nginx-stable':
- Status code: 404 for http://nginx.org/packages/centos/3.1/x86_64/repodata/repomd.xml (IP: 52.58.199.22)
Error: Failed to download metadata for repo 'nginx-stable': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried
网上找到的 TencentOS Server 的资料较少,猜测其兼容为 CentOS7,再次修改 repo 文件:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
更新 nginx,成功:
1
$ yum install -y nginx
检查版本:
1
2
$ nginx -v
nginx version: nginx/1.24.0
测试:
1
2
3
$ nginx -t
nginx: [emerg] module "/usr/lib64/nginx/modules/ngx_http_image_filter_module.so" version 1014001 instead of 1024000 in /usr/share/nginx/modules/mod-http-image-filter.conf:1
nginx: configuration file /etc/nginx/nginx.conf test failed
仍然是 nginx 模块不兼容。
准备重装模块,先删除:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
$ yum remove nginx-mod*
Dependencies resolved.
======================================================================================================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================================================================================================
Removing:
nginx-mod-http-image-filter x86_64 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 29 k
nginx-mod-http-perl x86_64 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 60 k
nginx-mod-http-xslt-filter x86_64 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 25 k
nginx-mod-mail x86_64 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 108 k
nginx-mod-stream x86_64 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 163 k
Removing dependent packages:
nginx-all-modules noarch 1:1.14.1-10.module+el8.6.0+32+00655e69 @TencentOS-AppStream 0
Transaction Summary
======================================================================================================================================================================================================================================
Remove 6 Packages
Freed space: 385 k
Is this ok [y/N]: y
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Erasing : nginx-all-modules-1:1.14.1-10.module+el8.6.0+32+00655e69.noarch 1/6
Erasing : nginx-mod-http-image-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 2/6
Erasing : nginx-mod-http-perl-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 3/6
Erasing : nginx-mod-http-xslt-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 4/6
Erasing : nginx-mod-mail-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 5/6
Erasing : nginx-mod-stream-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 6/6
Verifying : nginx-all-modules-1:1.14.1-10.module+el8.6.0+32+00655e69.noarch 1/6
Verifying : nginx-mod-http-image-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 2/6
Verifying : nginx-mod-http-perl-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 3/6
Verifying : nginx-mod-http-xslt-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 4/6
Verifying : nginx-mod-mail-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 5/6
Verifying : nginx-mod-stream-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 6/6
Removed:
nginx-all-modules-1:1.14.1-10.module+el8.6.0+32+00655e69.noarch nginx-mod-http-image-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 nginx-mod-http-perl-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64
nginx-mod-http-xslt-filter-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 nginx-mod-mail-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64 nginx-mod-stream-1:1.14.1-10.module+el8.6.0+32+00655e69.x86_64
Complete!
再重新安装:
1
2
3
4
5
6
7
8
9
$ yum install -y nginx-module-*
Last metadata expiration check: 0:00:55 ago on Fri 26 May 2023 10:44:07 AM CST.
Error:
Problem 1: cannot install the best candidate for the job
- nothing provides libgd.so.2()(64bit) needed by nginx-module-image-filter-1:1.24.0-1.el7.ngx.x86_64
Problem 2: cannot install the best candidate for the job
- nothing provides libperl.so()(64bit) needed by nginx-module-perl-1:1.24.0-1.el7.ngx.x86_64
- nothing provides perl(:MODULE_COMPAT_5.16.3) needed by nginx-module-perl-1:1.24.0-1.el7.ngx.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)
根据提示,使用 --skip-broken 跳过:
1
$ yum install -y nginx-module-* --skip-broken
安装顺利。
再次检查:
1
2
3
$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
成功。
重新加载 nginx 配置文件:
1
$ nginx -s reload
参考链接:http://nginx.org/en/linux_packages.html