{"id":47869,"date":"2026-05-18T14:46:18","date_gmt":"2026-05-18T07:46:18","guid":{"rendered":"https:\/\/antoanthongtinhaiphong.gov.vn\/?p=47869"},"modified":"2026-05-20T14:47:21","modified_gmt":"2026-05-20T07:47:21","slug":"lo-hong-ton-tai-suot-18-nam-trong-nginx-cho-phep-thuc-thi-ma-tu-xa-khong-can-xac-thuc","status":"publish","type":"post","link":"https:\/\/antoanthongtinhaiphong.gov.vn\/lo-hong-ton-tai-suot-18-nam-trong-nginx-cho-phep-thuc-thi-ma-tu-xa-khong-can-xac-thuc\/","title":{"rendered":"L\u1ed7 h\u1ed5ng t\u1ed3n t\u1ea1i su\u1ed1t 18 n\u0103m trong NGINX cho ph\u00e9p th\u1ef1c thi m\u00e3 t\u1eeb xa kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c"},"content":{"rendered":"<div><b>M\u1ed9t ph\u00e1t hi\u1ec7n m\u1edbi \u0111ang khi\u1ebfn gi\u1edbi b\u1ea3o m\u1eadt \u0111\u1eb7c bi\u1ec7t ch\u00fa \u00fd: m\u1ed9t l\u1ed7 h\u1ed5ng c\u00f3 kh\u1ea3 n\u0103ng th\u1ef1c thi m\u00e3 t\u1eeb xa trong NGINX \u0111\u00e3 t\u1ed3n t\u1ea1i \u00e2m th\u1ea7m g\u1ea7n 18 n\u0103m, \u1ea9n ngay trong module Rewrite c\u1ee7a n\u1ec1n t\u1ea3ng web server \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i nh\u1ea5t th\u1ebf gi\u1edbi. L\u1ed7 h\u1ed5ng n\u00e0y cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng k\u00edch ho\u1ea1t t\u1eeb xa ch\u1ec9 b\u1eb1ng m\u1ed9t request HTTP \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1eb7c bi\u1ec7t, kh\u00f4ng c\u1ea7n b\u1ea5t k\u1ef3 b\u01b0\u1edbc x\u00e1c th\u1ef1c n\u00e0o.<\/b><br \/>\n\u200b<\/div>\n<div>\n<div class=\"bbImageWrapper  js-lbImage\" title=\"NGINX.png\" data-src=\"https:\/\/whitehat.vn\/attachments\/nginx-png.19020\/\" data-lb-sidebar-href=\"\" data-lb-caption-extra-html=\"\" data-single-image=\"1\"><img loading=\"lazy\" decoding=\"async\" class=\"bbImage\" title=\"NGINX.png\" src=\"https:\/\/whitehat.vn\/attachments\/nginx-png.19020\/\" alt=\"NGINX.png\" width=\"700\" height=\"390\" data-url=\"\" data-zoom-target=\"1\" \/><\/div>\n<\/div>\n<div>\nL\u1ed7 h\u1ed5ng c\u00f3 m\u00e3 CVE-2026-42945, \u0111\u01b0\u1ee3c nh\u00f3m nghi\u00ean c\u1ee9u depthfirst \u0111\u1eb7t t\u00ean l\u00e0 \u201cNGINX Rift\u201d, \u1ea3nh h\u01b0\u1edfng t\u1edbi module ngx_http_rewrite_module c\u1ee7a NGINX Open Source v\u00e0 NGINX Plus. V\u1edbi \u0111i\u1ec3m CVSS v4 l\u00ean t\u1edbi 9.2, \u0111\u00e2y \u0111\u01b0\u1ee3c \u0111\u00e1nh gi\u00e1 l\u00e0 m\u1ed9t trong nh\u1eefng l\u1ed7i nghi\u00eam tr\u1ecdng nh\u1ea5t t\u1eebng xu\u1ea5t hi\u1ec7n tr\u00ean n\u1ec1n t\u1ea3ng n\u00e0y.<\/p>\n<p>Theo th\u00f4ng tin t\u1eeb F5, CVE-2026-42945 xu\u1ea5t ph\u00e1t t\u1eeb l\u1ed7i tr\u00e0n b\u1ed9 \u0111\u1ec7m heap trong qu\u00e1 tr\u00ecnh x\u1eed l\u00fd directive rewrite. \u0110i\u1ec1u ki\u1ec7n khai th\u00e1c x\u1ea3y ra khi c\u1ea5u h\u00ecnh s\u1eed d\u1ee5ng c\u00e1c unnamed PCRE capture nh\u01b0 $1, $2 \u0111i k\u00e8m chu\u1ed7i thay th\u1ebf ch\u1ee9a k\u00fd t\u1ef1 d\u1ea5u h\u1ecfi ?.<\/p>\n<p>\u1ede \u0111i\u1ec1u ki\u1ec7n khai th\u00e1c th\u1ef1c t\u1ebf, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 l\u1ee3i d\u1ee5ng m\u1ed9t URI \u0111\u01b0\u1ee3c thi\u1ebft k\u1ebf \u0111\u1eb7c bi\u1ec7t \u0111\u1ec3 khi\u1ebfn NGINX ghi d\u1eef li\u1ec7u v\u01b0\u1ee3t qu\u00e1 gi\u1edbi h\u1ea1n b\u1ed9 nh\u1edb c\u1ee7a ti\u1ebfn tr\u00ecnh worker. \u0110i\u1ec3m \u0111\u00e1ng lo ng\u1ea1i n\u1eb1m \u1edf ch\u1ed7 d\u1eef li\u1ec7u tr\u00e0n kh\u00f4ng ph\u1ea3i ng\u1eabu nhi\u00ean, m\u00e0 c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u0111i\u1ec1u khi\u1ec3n th\u00f4ng qua ch\u00ednh n\u1ed9i dung URI do attacker ki\u1ec3m so\u00e1t, l\u00e0m t\u0103ng \u0111\u1ed9 ch\u00ednh x\u00e1c v\u00e0 t\u00ednh l\u1eb7p l\u1ea1i c\u1ee7a qu\u00e1 tr\u00ecnh khai th\u00e1c. Nh\u00f3m nghi\u00ean c\u1ee9u depthfirst cho bi\u1ebft l\u1ed7 h\u1ed5ng c\u00f3 th\u1ec3 b\u1ecb khai th\u00e1c ho\u00e0n to\u00e0n t\u1eeb xa m\u00e0 kh\u00f4ng c\u1ea7n t\u00e0i kho\u1ea3n, phi\u00ean \u0111\u0103ng nh\u1eadp hay b\u1ea5t k\u1ef3 quy\u1ec1n truy c\u1eadp n\u00e0o tr\u01b0\u1edbc \u0111\u00f3.<\/p>\n<p>\u201cCh\u1ec9 m\u1ed9t request HTTP duy nh\u1ea5t c\u0169ng c\u00f3 th\u1ec3 k\u00edch ho\u1ea1t heap overflow v\u00e0 d\u1eabn t\u1edbi th\u1ef1c thi m\u00e3 t\u1eeb xa tr\u00ean ti\u1ebfn tr\u00ecnh worker c\u1ee7a NGINX\u201d, nh\u00f3m nghi\u00ean c\u1ee9u c\u1ea3nh b\u00e1o.<\/p>\n<p>Trong nhi\u1ec1u tr\u01b0\u1eddng h\u1ee3p, l\u1ed7 h\u1ed5ng c\u00f3 th\u1ec3 khi\u1ebfn ti\u1ebfn tr\u00ecnh worker li\u00ean t\u1ee5c b\u1ecb crash v\u00e0 kh\u1edfi \u0111\u1ed9ng l\u1ea1i, t\u1ea1o th\u00e0nh v\u00f2ng l\u1eb7p t\u1eeb ch\u1ed1i d\u1ecbch v\u1ee5 k\u00e9o d\u00e0i \u0111\u1ed1i v\u1edbi to\u00e0n b\u1ed9 website ch\u1ea1y tr\u00ean m\u00e1y ch\u1ee7 b\u1ecb \u1ea3nh h\u01b0\u1edfng. N\u1ebfu h\u1ec7 th\u1ed1ng v\u00f4 hi\u1ec7u h\u00f3a c\u01a1 ch\u1ebf ASLR (Address Space Layout Randomization), kh\u1ea3 n\u0103ng \u0111\u1ea1t \u0111\u01b0\u1ee3c th\u1ef1c thi m\u00e3 t\u1eeb xa s\u1ebd t\u0103ng l\u00ean \u0111\u00e1ng k\u1ec3.<\/p>\n<p>\u0110i\u1ec1u \u0111\u00e1ng ch\u00fa \u00fd l\u00e0 l\u1ed7i n\u00e0y \u0111\u00e3 \u00e2m th\u1ea7m t\u1ed3n t\u1ea1i trong m\u00e3 ngu\u1ed3n NGINX su\u1ed1t kho\u1ea3ng 18 n\u0103m tr\u01b0\u1edbc khi \u0111\u01b0\u1ee3c ph\u00e1t hi\u1ec7n. \u0110\u00e2y l\u00e0 kho\u1ea3ng th\u1eddi gian \u0111\u1eb7c bi\u1ec7t \u0111\u00e1ng lo ng\u1ea1i khi NGINX hi\u1ec7n \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i trong h\u1ea1 t\u1ea7ng web, reverse proxy, load balancer, API gateway v\u00e0 m\u00f4i tr\u01b0\u1eddng cloud-native tr\u00ean to\u00e0n c\u1ea7u.<\/p>\n<p>F5 cho bi\u1ebft c\u00e1c phi\u00ean b\u1ea3n b\u1ecb \u1ea3nh h\u01b0\u1edfng bao g\u1ed3m NGINX Open Source t\u1eeb 1.0.0 t\u1edbi 1.30.0 c\u00f9ng nhi\u1ec1u phi\u00ean b\u1ea3n NGINX Plus v\u00e0 c\u00e1c s\u1ea3n ph\u1ea9m li\u00ean quan nh\u01b0 NGINX Ingress Controller, NGINX Gateway Fabric, NGINX App Protect WAF v\u00e0 F5 DoS for NGINX. B\u1ea3n v\u00e1 \u0111\u00e3 \u0111\u01b0\u1ee3c ph\u00e1t h\u00e0nh trong NGINX Open Source 1.30.1 v\u00e0 1.31.0, \u0111\u1ed3ng th\u1eddi c\u00e1c phi\u00ean b\u1ea3n v\u00e1 t\u01b0\u01a1ng \u1ee9ng c\u0169ng \u0111\u01b0\u1ee3c cung c\u1ea5p cho NGINX Plus.<\/p>\n<p>Ngo\u00e0i \u201cNGINX Rift\u201d, F5 c\u00f2n x\u1eed l\u00fd th\u00eam ba l\u1ed7 h\u1ed5ng kh\u00e1c:\u200b<\/p><\/div>\n<ul>\n<li data-xf-list-type=\"ul\">\n<div>CVE-2026-42946: l\u1ed7i c\u1ea5p ph\u00e1t b\u1ed9 nh\u1edb qu\u00e1 m\u1ee9c trong ngx_http_scgi_module v\u00e0 ngx_http_uwsgi_module, c\u00f3 th\u1ec3 d\u1eabn t\u1edbi \u0111\u1ecdc b\u1ed9 nh\u1edb ho\u1eb7c crash worker process.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>CVE-2026-40701: l\u1ed7i use-after-free trong ngx_http_ssl_module, \u1ea3nh h\u01b0\u1edfng t\u1edbi c\u00e1c h\u1ec7 th\u1ed1ng b\u1eadt ssl_verify_client v\u00e0 ssl_ocsp.\u200b<\/div>\n<\/li>\n<li data-xf-list-type=\"ul\">\n<div>CVE-2026-42934: l\u1ed7i out-of-bounds read trong ngx_http_charset_module, c\u00f3 th\u1ec3 l\u00e0m r\u00f2 r\u1ec9 d\u1eef li\u1ec7u b\u1ed9 nh\u1edb.\u200b<\/div>\n<\/li>\n<\/ul>\n<div>H\u00e3ng khuy\u1ebfn c\u00e1o c\u00e1c qu\u1ea3n tr\u1ecb vi\u00ean c\u1ea7n c\u1eadp nh\u1eadt l\u00ean phi\u00ean b\u1ea3n m\u1edbi nh\u1ea5t \u0111\u1ec3 gi\u1ea3m thi\u1ec3u nguy c\u01a1 b\u1ecb khai th\u00e1c. Trong tr\u01b0\u1eddng h\u1ee3p ch\u01b0a th\u1ec3 v\u00e1 ngay, n\u00ean r\u00e0 so\u00e1t to\u00e0n b\u1ed9 rule rewrite v\u00e0 thay th\u1ebf unnamed capture ($1, $2) b\u1eb1ng named capture nh\u1eb1m gi\u1ea3m r\u1ee7i ro t\u1ea5n c\u00f4ng.\u200b<\/div>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t ph\u00e1t hi\u1ec7n m\u1edbi \u0111ang khi\u1ebfn gi\u1edbi b\u1ea3o m\u1eadt \u0111\u1eb7c bi\u1ec7t ch\u00fa \u00fd: m\u1ed9t l\u1ed7 h\u1ed5ng c\u00f3 kh\u1ea3 n\u0103ng th\u1ef1c thi m\u00e3 t\u1eeb xa trong NGINX \u0111\u00e3 t\u1ed3n t\u1ea1i \u00e2m th\u1ea7m g\u1ea7n 18 n\u0103m, \u1ea9n ngay trong module Rewrite c\u1ee7a n\u1ec1n t\u1ea3ng web server \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng r\u1ed9ng r\u00e3i nh\u1ea5t th\u1ebf gi\u1edbi. L\u1ed7 h\u1ed5ng n\u00e0y [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":47870,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[3,24,35],"tags":[],"class_list":["post-47869","post","type-post","status-publish","format-standard","has-post-thumbnail","category-canh-bao-khuyen-nghi","category-tin-noi-bat","category-tin-tuc-su-kien"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/comments?post=47869"}],"version-history":[{"count":1,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47869\/revisions"}],"predecessor-version":[{"id":47871,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/posts\/47869\/revisions\/47871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media\/47870"}],"wp:attachment":[{"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/media?parent=47869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/categories?post=47869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/antoanthongtinhaiphong.gov.vn\/wp-json\/wp\/v2\/tags?post=47869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}