EricT
09-16-2009, 06:53 PM
On September 14th a security vulnerability in nginx was announced. nginx is used in both the INSSLR and URLSW AppLogic appliances. The following description was provided by http://www.securityfocus.com/bid/36384
"The 'nginx' program is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition."
Note: In the quote above, "application" refers to nginx. This vulnerability is isolated to INSSLR/URLSW and does not affect the AppLogic application as a whole.
This security vulnerability affects both the INSSLR and URLSW appliances that were provided in the AppLogic 2.7 beta release (INSSLR was updated to use nginx in the 2.7 beta). These appliances will be updated in the upcoming AppLogic 2.7 production release. AppLogic 2.1 and 2.4 grids are not affected by this vulnerability unless these appliances were specifically requested from the 2.7 beta and imported onto a 2.1 or 2.4 grid.
If you cannot wait for the 2.7 production release and need the fixed appliances before the next release, please contact 3Tera support.
-- Eric
"The 'nginx' program is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition."
Note: In the quote above, "application" refers to nginx. This vulnerability is isolated to INSSLR/URLSW and does not affect the AppLogic application as a whole.
This security vulnerability affects both the INSSLR and URLSW appliances that were provided in the AppLogic 2.7 beta release (INSSLR was updated to use nginx in the 2.7 beta). These appliances will be updated in the upcoming AppLogic 2.7 production release. AppLogic 2.1 and 2.4 grids are not affected by this vulnerability unless these appliances were specifically requested from the 2.7 beta and imported onto a 2.1 or 2.4 grid.
If you cannot wait for the 2.7 production release and need the fixed appliances before the next release, please contact 3Tera support.
-- Eric