Plesk

Vulnerability CVE-2023-44487

  • Dmitry Bystrov

    • Situation

    Vulnerability CVE-2023-44487 affecting Nginx has been discovered.

    Impact

    Nginx by default sets the following values for the parameters (see related Nginx blog) :

    keepalive_requests = 1000;

    http2_max_concurrent_streams = 128;

    When the default parameters are used, nginx instance isn’t affected by the vulnerability. Plesk doesn’t configure these parameters. Therefore, default Plesk instance isn’t affected.

    Call to action

    As long as default Nginx settings keepalive_requests and http2_max_concurrent_streams are kept, Plesk server is secured against the vulnerability.

    There are temporary workarounds until nginx version with fix is released:

    Workaround 1: Reset modified values to default

    In case you are not sure if the values have been modified, or need to change these to comply with the defaults, perform the following steps:

    1. Connect to the server via SSH.

    2. Search for the customized parameters:

      # grep -rin "http2_max_concurrent_streams|keepalive_requests" /etc/nginx/

    3. Edit found files by commenting out the directives with the # symbol like so:

      # keepalive_requests 123456
      # http2_max_concurrent_streams 256

    4. Restart nginx service to apply configuration changes:

      # systemctl restart nginx

    Workaround 2: Disable HTTP/2

    1. Connect to the server via SSH.

    2. Disable HTTP/2:

      # plesk bin http2_pref disable

    Tweet
    Share
    Share
    Email
    0 Shares
    Exit mobile version