Situation
Vulnerability CVE-2023-44487 affecting Nginx has been discovered.
Impact
Nginx by default sets the following values for the parameters (see related Nginx blog) :
keepalive_requests = 1000;
http2_max_concurrent_streams = 128;
When the default parameters are used, nginx instance isn’t affected by the vulnerability. Plesk doesn’t configure these parameters. Therefore, default Plesk instance isn’t affected.
Call to action
As long as default Nginx settings keepalive_requests and http2_max_concurrent_streams are kept, Plesk server is secured against the vulnerability.
There are temporary workarounds until nginx version with fix is released:
Workaround 1: Reset modified values to default
In case you are not sure if the values have been modified, or need to change these to comply with the defaults, perform the following steps:
-
Connect to the server via SSH.
-
Search for the customized parameters:
# grep -rin "http2_max_concurrent_streams|keepalive_requests" /etc/nginx/
-
Edit found files by commenting out the directives with the
#symbol like so:# keepalive_requests 123456
# http2_max_concurrent_streams 256 -
Restart nginx service to apply configuration changes:
# systemctl restart nginx
Workaround 2: Disable HTTP/2
-
Connect to the server via SSH.
-
Disable HTTP/2:
# plesk bin http2_pref disable
with