Recently a number of partners have asked if Zimbra is affected by NGINX CVE-2023-44487.
When we take a look at the NGINX blog post on CVE-2023-44487 it mentions the following:
…it is essential that the following updates are made to NGINX configuration files, minimizing the server’s attack surface:
keepalive_requests should be kept at the default setting of 1000 requests
http2_max_concurrent_streams should be kept at the default setting of 128 streams
By default Zimbra does not set the keepalive_requests and/or http2_max_concurrent_streams properties. In which case NGinx default will be used and the vulnerability will not affect Zimbra Proxy. However in case you made customizations to the Zimbra NGINX templates, it could be you have changed these properties.
To find out, you can run below commands on your Zimbra Proxy server, none of these should return the keepalive_requests and/or http2_max_concurrent_streams properties.
sudo su - zimbra /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf -T | grep http2_max_concurrent_streams /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf -T | grep keepalive_requests cd /opt/zimbra/conf/nginx/ grep -F -l -i keepalive_requests * -R grep -F -l -i http2_max_concurrent_streams * -R
FYI, an update for Zimbra Proxy is coming soon that will update Zimbra Proxy to NGINX version 1.24.