CVE-2024-24989: 
NGINX vulnerability analysis and mitigation

CVE-2024-24989 is a security vulnerability affecting NGINX Plus and NGINX OSS when configured to use the HTTP/3 QUIC module. The vulnerability was disclosed on February 14, 2024, and affects NGINX versions 1.25.0 through 1.25.3. The HTTP/3 QUIC module, which is not enabled by default and is considered experimental, can be exploited through undisclosed requests that cause NGINX worker processes to terminate (NVD, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The flaw is classified as a NULL Pointer Dereference (CWE-476). The vulnerability specifically affects systems where NGINX is compiled with the ngx_http_v3_module and has the 'quic' option enabled in the 'listen' directive within the configuration file (NVD).

The primary impact of this vulnerability is the potential for denial-of-service (DoS) attacks. When exploited, the vulnerability allows remote unauthenticated attackers to cause NGINX worker processes to crash, potentially disrupting service availability. This is particularly concerning for high-traffic websites relying on NGINX for web serving capabilities (Security Online).

The primary mitigation is to upgrade to NGINX version 1.25.4 or later, which contains the fix for this vulnerability. If immediate upgrading is not possible, the only reliable workaround is to disable HTTP/3 functionality. It's important to note that since the HTTP/3 QUIC module is not enabled by default, only systems explicitly configured to use this experimental feature are affected (Security Online).