Site icon 지락문화예술공작단

DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

A new OpenSSL vulnerability (CVE-2016-0800), called DROWN, was recently announced. It affects older versions of several widely-used server technologies:

The DROWN vulnerability is described on the dedicated website, The DROWN Attack. It stands for Decrypting RSA with Obsolete and Weakened eNcryption, and makes vulnerable websites susceptible to man-in-the-middle attacks.

DROWN is unusual in that it does not require a site to actively use SSLv2 or other vulnerable protocols. A site is vulnerable if it supports one of the vulnerable protocols or shares a private key with any other server that allows SSLv2 connections.

Both open source NGINX and NGINX Plus support SSLv2, but it is turned off by default in recent versions. Only users who have explicitly turned on SSLv2, or use a significantly outdated version of NGINX, or share a private key with another server that allows SSLv2 connections, are vulnerable to this attack

Site owners should check whether their website configuration supports SSLv2 and disable it if it does. With NGINX and NGINX Plus, the use of SSL and TLS protocols is controlled by the ssl_protocols configuration directive. In order to enable recent TLS only, and disable SSL v2 and SSL v3, please use the following syntax:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Please see reference documentation on SSL support with NGINX: http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Visit the NGINX Community Forum or, for NGINX Plus users, NGINX Plus Support for more information.

Visit the following sites for more information:

Image courtesy The Drown Attack.

The post DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users appeared first on NGINX.

Source: DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users

Exit mobile version