Zimbra not affected by NGINX CVE-2023-44487

Recently a number of partners have asked if Zimbra is affected by NGINX CVE-2023-44487.

When we take a look at the NGINX blog post on CVE-2023-44487 it mentions the following:

…it is essential that the following updates are made to NGINX configuration files, minimizing the server’s attack surface:

By default Zimbra does not set the keepalive_requests and/or http2_max_concurrent_streams properties. In which case NGinx default will be used and the vulnerability will not affect Zimbra Proxy. However in case you made customizations to the Zimbra NGINX templates, it could be you have changed these properties.

To find out, you can run below commands on your Zimbra Proxy server, none of these should return the keepalive_requests and/or http2_max_concurrent_streams properties.

sudo su - zimbra
/opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf -T | grep http2_max_concurrent_streams
/opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf -T | grep keepalive_requests

cd /opt/zimbra/conf/nginx/
grep -F -l -i keepalive_requests * -R
grep -F -l -i http2_max_concurrent_streams * -R

FYI, an update for Zimbra Proxy is coming soon that will update Zimbra Proxy to NGINX version 1.24.


No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures