Nginx/1.14.2 is an end-of-life stable release that carries several published CVEs, including the DNS resolver heap overwrite, a set of HTTP/2 denial-of-service flaws, and a request-smuggling bug, none of which will ever receive a 1.14 patch. If a scanner flagged nginx/1.14.2 or the sibling nginx/1.14.0, the version alone is the finding: the 1.14 branch stopped receiving fixes long ago, so every relevant nginx 1.14.2 exploit path stays open until you upgrade.
Where nginx 1.14.2 sits in history
Nginx 1.14.2 shipped in December 2018 as a maintenance release on the 1.14 stable branch. That branch was superseded by 1.16 stable in 2019 and then by 1.18 and later lines. Once a stable branch is retired, nginx does not backport security fixes to it. So while people search for a specific "nginx 1.14.2 exploit" or "nginx 1.14.0 exploit," the honest framing is that this release is missing years of security work and the individual CVEs below are simply the visible symptoms.
CVE-2021-23017: resolver heap overwrite
The highest-impact flaw affecting nginx 1.14.2 is CVE-2021-23017, a one-byte heap overwrite in the built-in DNS resolver. It affects nginx from 0.6.18 through 1.20.0 and was fixed in 1.20.1, so 1.14.2 and 1.14.0 are both in range.
It is only reachable if:
- The
resolverdirective is configured, and - An attacker can spoof or control DNS responses reaching that resolver.
# No resolver directive means CVE-2021-23017 does not apply to your instance
resolver 1.1.1.1;
If you never set resolver (it is needed only for runtime DNS resolution of upstreams, OCSP stapling, and similar), this specific bug is inert on your box. If you do, treat it as the priority item.
HTTP/2 denial-of-service CVEs
In August 2019, a family of HTTP/2 flaws was disclosed across many web servers. For nginx, the relevant ones (including the "Data Dribble" and "Resource Loop" style issues, CVE-2019-9511, CVE-2019-9513, and CVE-2019-9516) were fixed in nginx 1.16.1 and 1.17.3. Since 1.14.2 predates those, it is affected wherever HTTP/2 is enabled:
listen 443 ssl http2; # HTTP/2 on: the 2019 DoS CVEs apply
These are availability issues: a malicious client can force excessive CPU or memory use and degrade the server. If you serve HTTP/2 from 1.14.2, they apply.
CVE-2019-20372: error_page request smuggling
CVE-2019-20372 is an HTTP request smuggling issue via error pages, fixed in nginx 1.17.7. It affects earlier versions including 1.14.2 and is reachable in configurations that use error_page to redirect requests. Request smuggling can let an attacker slip a second request past front-end controls, so it matters most when nginx sits behind or in front of other HTTP components.
The nginx/1.14.0 question
Searches often pair 1.14.2 with nginx/1.14.0. Both are on the same retired 1.14 branch; 1.14.0 is simply the earlier point release and carries everything 1.14.2 does plus whatever 1.14.2 itself fixed. If you are on 1.14.0, you are strictly worse off than on 1.14.2 and the same upgrade advice applies with more urgency.
How to remediate
- Upgrade off the 1.14 branch entirely. This is the only genuine fix; there are no 1.14 security patches to apply. Move to a currently maintained stable or mainline branch.
- If an upgrade is blocked short-term, remove or restrict the
resolverdirective, and consider disabling HTTP/2 until you can move, to shrink the exposed surface. - Rebuild containers on a current base image so bundled-library CVEs (freetype, expat, and similar in
nginx:1.14.2images) clear at the same time. - Re-scan after upgrading. Version-only findings clear only when the version actually changes; suppressing the banner with
server_tokens offhides the string but leaves the code, and a software composition analysis pass will still surface the underlying package.
Prioritizing the fixes
If you can only triage rather than upgrade immediately, order it by reachability. A public-facing instance with resolver set and an attacker-influenced DNS path makes CVE-2021-23017 the top concern. An HTTP/2-enabled edge server makes the 2019 DoS CVEs relevant. An error_page-based rewrite in front of other services raises CVE-2019-20372. But all of these are downstream of the same root cause: running an unmaintained build. Fix that and the list collapses.
FAQ
Is nginx 1.14.2 still supported?
No. The 1.14 stable branch is end of life and receives no security patches. Running nginx/1.14.2 or nginx/1.14.0 means missing every fix released since the branch was retired.
What is the most serious nginx 1.14.2 vulnerability?
CVE-2021-23017, a heap overwrite in the DNS resolver affecting 0.6.18 through 1.20.0. It requires the resolver directive to be configured and an attacker able to spoof DNS responses.
Do the HTTP/2 CVEs affect nginx 1.14.2?
Yes, if HTTP/2 is enabled. The August 2019 HTTP/2 denial-of-service flaws were fixed in nginx 1.16.1 and 1.17.3, both later than 1.14.2, so they apply to any 1.14.2 server listening with http2.
How do I upgrade from nginx 1.14.2 safely?
Move to a currently maintained branch, rebuild any containers on a current base image, and re-scan afterward to confirm the version actually changed. Do not rely on server_tokens off, which hides the version but not the vulnerable code.