Nginx has released a fix for the critical vulnerability in its implementation of DNS resolution. A vulnerability (CVE-2021-23017) in the Nginx resolver allows an attacker to gain full control over the attacked system, and an exploit for this vulnerability is already publicly available.

The issue affects NGINX Open Source, NGINX Plus and NGINX Ingress Controller. The patch for this vulnerability is included in the following software versions: NGINX Open Source 1.20.1 (stable version), NGINX Open Source 1.21.0 (mainline version), NGINX Plus R23 P1 and NGINX Plus R24 P1. The following versions of NGINX Ingress Controller include the indicated patched versions of NGINX Open Source and NGINX Plus: NGINX Ingress Controller 1.11.2 - NGINX Plus R23 P1, NGINX Ingress Controller 1.11.3 - NGINX Open Source 1.21.0 and NGINX Plus R23 P1.

Nginx has also patched an encryption vulnerability in the NGINX Controller NAAS API (CVE-2021-23020), NGINX Controller credential disclosure vulnerability (CVE-2021-23019), and an information disclosure vulnerability (CVE-2021-23021).

Source: securitylab.ru