SituationVulnerability CVE-2023-44487 (https://access.redhat.com/security/cve/cve-2023-44487) affecting Nginx has been discovered.
ImpactNginx by default sets the following values for the parameters (see related Nginx blog (https://www.f5.com/company/blog/nginx/http-2-rapid-reset-attack-impacting-f5-nginx-products)) :
keepalive_requests = 1000;
http2_max_concurrent_streams = 128;When the default parameters are used, nginx instance isn't affected by the vulnerability. Plesk doesn't
configure these parameters. Therefore, default Plesk instance isn't affected.
Call to actionAs long as default Nginx settings keepalive_requests and http2_max_concurrent_streams are kept, Plesk
server is secured against the vulnerability.
There are temporary workarounds until nginx version with fix is released:
Workaround 1: Reset modified values to defaultIn case you are not sure if the values have been modified, or need to change these to comply with the defaults,
perform the following steps:
- Connect to the server via SSH.
- Search for the customized parameters:
# grep -rin "http2_max_concurrent_streams\|keepalive_requests" /etc/nginx/ - Edit found files by commenting out the directives with the # symbol like so:
# keepalive_requests 123456
# http2_max_concurrent_streams 256 - Restart nginx service to apply configuration changes:
# systemctl restart nginx
Workaround 2: Disable HTTP/2- Connect to the server via SSH.
- Disable HTTP/2:
# plesk bin http2_pref disable