The problem exists due to an off-by-one error in the ngx_resolver_copy () function while processing DNS responses. A remote unauthorized attacker could throw an off-by-one error, write a period character ('.', 0x2E) outside of the allocated memory area in the buffer, and execute the code.
The vulnerability could be caused by a DNS response to a DNS query from nginx when configuring a resolver primitive. A specially configured package allows you to overwrite the least significant metadata byte of the next heap block with 0x2E and execute the code.
The issue affects NGINX Open Source, NGINX Plus and NGINX Ingress Controller. The fix is included in the following software versions: NGINX Open Source 1.20.1 (stable version), NGINX Open Source 1.21.0 (main branch), NGINX Plus R23 P1 and NGINX Plus R24 P1. Corrected versions of NGINX Open Source and NGINX Plus are included in the following versions of NGINX Ingress Controller: NGINX Ingress Controller 1.11.2 - NGINX Plus R23 P1, NGINX Ingress Controller 1.11.3 - NGINX Open Source 1.21.0 and NGINX Plus R23 P1.
Nginx also patches an encryption vulnerability in the NGINX Controller NAAS API (CVE-2021-23020), an NGINX Controller credential disclosure vulnerability (CVE-2021-23019), and an information disclosure vulnerability (CVE-2021-23021).