一、漏洞简介¶

1.1 漏洞背景¶

SPDY 是 HTTP/2 的前身协议，用于加速网页传输。Nginx 的 SPDY 实现在处理特制请求时存在堆缓冲区溢出漏洞。

1.2 漏洞概述（包含 CVE 编号、危害等级、漏洞类型、披露时间等）¶

• CVE 编号：CVE-2014-0133
• 危害等级：高（Major）
• CVSS 评分：CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H（9.8）
• 漏洞类型：堆缓冲区溢出
• 潜在影响：远程代码执行

补充核验信息：公开时间：2014-03-28；NVD 评分：7.5（HIGH）；CWE：CWE-787。

二、影响范围¶

2.1 受影响的版本¶

• Nginx 1.3.15 - 1.5.11

2.2 不受影响的版本¶

• Nginx 1.5.12 及以上
• Nginx 1.4.7 及以上

2.3 触发条件（如特定模块、特定配置、特定运行环境等）¶

1. Nginx 编译时启用了 SPDY 模块（--with-http_spdy_module）
2. 配置文件中启用了 SPDY：listen 443 ssl spdy;
3. 攻击者能够建立 SPDY 连接

三、漏洞详情与原理解析¶

3.1 漏洞触发机制¶

攻击者通过 SPDY 协议发送特制的请求： 1. 构造恶意的 SPDY SYN_STREAM 帧 2. 在请求头中包含超长数据 3. Nginx 在处理时发生堆缓冲区溢出 4. 可能导致代码执行

3.2 源码层面的根因分析（结合源码与补丁对比）¶

漏洞代码位置：src/http/ngx_http_spdy.c

问题根因： 在处理 SPDY 帧的压缩头部时，对输入数据的验证不足，导致堆缓冲区溢出。

关键问题代码：

static ngx_int_t
ngx_http_spdy_handle_input_header(ngx_http_request_t *r,
    ngx_http_spdy_stream_t *stream, ngx_uint_t hash, ngx_str_t *header)
{
    /* 处理 SPDY 压缩头部 */
    u_char *p;
    size_t len;

    /* 问题：没有充分检查输入长度 */
    p = ngx_pnalloc(r->pool, header->len + 1);
    if (p == NULL) {
        return NGX_ERROR;
    }

    /* 溢出点：如果 header->len 计算错误，会导致越界写入 */
    ngx_memcpy(p, header->data, header->len);
    p[header->len] = '\0';

    return NGX_OK;
}

修复补丁：

/* 添加长度验证 */
if (header->len > NGX_HTTP_SPDY_MAX_HEADER_SIZE) {
    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                  "spdy header too long");
    return NGX_ERROR;
}

p = ngx_pnalloc(r->pool, header->len + 1);

四、漏洞复现（可选）¶

4.1 环境搭建¶

```bash

编译带 SPDY 支持的 Nginx¶

wget http://nginx.org/download/nginx-1.5.11.tar.gz tar -xzf nginx-1.5.

4.2 PoC 演示与测试过程¶

暂无公开可验证复现信息。

五、修复建议与缓解措施¶

5.1 官方版本升级建议¶

• 优先升级到 1.4.7 或同等后续安全版本。
• 优先升级到 1.5.11 或同等后续安全版本。
• 升级前请结合官方发布说明确认兼容性与回滚方案。

5.2 临时缓解方案（如修改配置文件、关闭相关模块、增加 WAF 规则等）¶

• 在完成版本升级前，建议将相关服务限制在可信网络边界内，并最小化暴露面。
• 对高风险接口、插件或调试功能实施临时下线、访问控制与日志监控。

六、参考信息 / 参考链接¶

6.1 官方安全通告¶

• http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
• http://nginx.org/download/nginx-1.5.11.tar.gz

6.2 其他技术参考资料¶

• NVD：https://nvd.nist.gov/vuln/detail/CVE-2014-0133
• CVE：https://www.cve.org/CVERecord?id=CVE-2014-0133
• http://mailman.nginx.org/pipermail/nginx-announce/2014/000135.html
• http://lists.opensuse.org/opensuse-updates/2014-03/msg00095.html
• http://www.securityfocus.com/bid/66537
• http://nginx.org/download/nginx-1.5.11.tar.gz

Nginx ???????CVE-2016-0746?¶

??????¶

1.1 ????¶

Nginx ???????????? CVE-2016-0746 ??????????? 2026-03-22 ?????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• f5:nginx:*, >= 0.6.18, <= 1.8.0
• f5:nginx:*, >= 1.9.0, < 1.9.10
• canonical:ubuntu_linux:14.04
• canonical:ubuntu_linux:15.10
• debian:debian_linux:7.0
• debian:debian_linux:8.0
• debian:debian_linux:9.0
• opensuse:leap:42.1

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ?????????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing.
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-416?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2016-0746
• https://www.cve.org/CVERecord?id=CVE-2016-0746
• http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html
• http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
• http://seclists.org/fulldisclosure/2021/Sep/36
• http://www.debian.org/security/2016/dsa-3473
• http://www.securitytracker.com/id/1034869
• http://www.ubuntu.com/usn/USN-2892-1

Nginx ???????CVE-2017-20005?¶

??????¶

1.1 ????¶

Nginx ???????????? CVE-2017-20005 ??????????? 2026-03-22 ?????????????? CRITICAL?CVSS 9.8?

1.2 ??????? CVE ???????????????????¶

??????¶

2.1 ??????¶

• f5:nginx:*, < 1.13.6
• debian:debian_linux:9.0

2.2 ???????¶

• NVD / CISA ????????????????????????????????????????

2.3 ????????????????????????¶

• ?????????????????????????????????????????

???????????¶

3.1 ??????¶

• NVD ?????NGINX before 1.13.6 has a buffer overflow for years that exceed four digits, as demonstrated by a file with a modification date in 1969 that causes an integer overflow (or a false modification date far in the future), when encountered by the autoindex module.
• ??????????????????????????? PoC ???

3.2 ????????????????????¶

• ?????????????CWE-190?CWE-120?
• NVD / CISA ???????????? diff???????????????????????????????

??????????¶

4.1 ????¶

• ??????????????????????????????????????????

4.2 PoC ???????¶

• ? CISA KEV ????????????????? KEV ????? PoC?
• ??????????????????????????????????????????

???????????¶

5.1 ????????¶

• ???????????????????????????
• ??????????????????????????????????????

5.2 ????????????????????????????¶

• ??????????????????????
• ???????????????????????? WAF ???
• ????????????????????????????

?????? / ????¶

• https://nvd.nist.gov/vuln/detail/CVE-2017-20005
• https://www.cve.org/CVERecord?id=CVE-2017-20005
• http://nginx.org/en/CHANGES
• https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9de4dd4b3fce777fdfdccf
• https://github.com/nginx/nginx/commit/b900cc28fcbb4cf5a32ab62f80b59292e1c85b4b
• https://lists.debian.org/debian-lts-announce/2021/06/msg00009.html
• https://security.netapp.com/advisory/ntap-20210805-0006/
• https://trac.nginx.org/nginx/ticket/1368