Old version of nginx in awx-operator

Hello,
In awx (awx-opertator version) in the containers responsible for the web there is a very old version of nginx/1.20.1 (eol 24 May 2022). How should I interpret this in terms of security? Is this nginx in stock version and does it have all the vulnerabilities that nginx has in version 1.20? Or is it a custom version of nginx for AWX and I should not pay attention to the nginx version but to Awx as a whole ? (blackbox)

Of course, I am aware that awx is currently undergoing major development changes and changes in repo are stopped. However, here I am interested in the information itself whether nginx in AWX is nginx that ended support on May 24, 2022 and has vulnerabilities related to this version.

Information from the container:
# kubectl exec -n awx -it awx-web-546cbcdd67-p8rk2 -c awx-web – nginx -v
nginx version: nginx/1.20.1

whether nginx in AWX is nginx that ended support on May 24, 2022 and has vulnerabilities related to this version.

Yes and no.

This is not an Nginx customized for AWX, but rather an Nginx package provided by CentOS 9 Stream.

Not just with Nginx, but all packages provided by CentOS 9 Stream are managed under Red Hat’s own lifecycle policy. Even for older versions for which the original vendor (like nginx.org) has ended support, Red Hat may independently continue maintenance by backporting security patches.

Therefore, even if the Nginx version itself is 1.20.1, it’s not exactly the same as version 1.20.1 available for download from nginx.org.
To find accurate information, you need to check the installed RPM version and look up what patches are included in it.

The RPM included in the AWX image is nginx-1.20.1-16.el9.x86_64.rpm, which was released in April 2024.
Using the rpm command, you can see that it was built in October 2023. You can also check the change log.

$ docker run --rm -it quay.io/ansible/awx:24.6.1 dnf list --installed nginx*
Installed Packages
nginx.x86_64                        1:1.20.1-16.el9             @appstream
nginx-core.x86_64                   1:1.20.1-16.el9             @appstream
nginx-filesystem.noarch             1:1.20.1-16.el9             @appstream

$ docker run --rm -it quay.io/ansible/awx:24.6.1 rpm -qi --changelog nginx.x86_64
Name        : nginx
Epoch       : 1
Version     : 1.20.1
Release     : 16.el9
Architecture: x86_64
Install Date: Tue 02 Jul 2024 08:14:02 PM UTC
Group       : Unspecified
Size        : 151988
License     : BSD
Signature   : RSA/SHA256, Wed 17 Apr 2024 06:23:11 AM UTC, Key ID 05b555b38483c65d
Source RPM  : nginx-1.20.1-16.el9.src.rpm
Build Date  : Mon 16 Oct 2023 07:04:08 PM UTC
Build Host  : x86-04.stream.rdu2.redhat.com
Packager    : builder@centos.org
Vendor      : CentOS
URL         : https://nginx.org
Summary     : A high performance web server and reverse proxy server
Description :
Nginx is a web server and a reverse proxy server for HTTP, SMTP, POP3 and
IMAP protocols, with a strong focus on high concurrency, performance and low
memory usage.
* Mon Oct 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-16
- Resolves: RHEL-12518 - nginx: HTTP/2: Multiple HTTP/2 enabled web servers are
  vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* Thu Nov 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-14
- Resolves: #2086527 - Fix logrotate config and nginx log dir permissions

* Wed Jun 22 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-13
- Resolves: #2099752 - nginx minimisation for ubi-micro

* Tue Jun 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-11
- Resolves: #2028781 - Protocol : TLSv1.3 missing in rhel9

* Wed Feb 02 2022 Luboš Uhliarik <luhliari@redhat.com> - 1:1.20.1-10
- Resolves: #1975747 - CVE-2021-3618 nginx: ALPACA: Application Layer Protocol
  Confusion - Analyzing and Mitigating Cracks in TLS Authentication

* Thu Dec 02 2021 Joe Orton <jorton@redhat.com> - 1:1.20.1-9
- add delaycompress to logrotate config (#2015250)

For your reference, if you look at the CentOS package repository, you’ll see that a newer nginx-1.20.1-22.el9.x86_64.rpm was released in February 2025, and updates on GitLab were made just last week. This confirms that updates for Nginx 1.20.1 are still ongoing.

• Index of /9-stream/AppStream/x86_64/os/Packages
• Files · c9s · Red Hat / centos-stream / rpms / nginx · GitLab

Hope this helps.

nginx 1.20 in el9 is a full life support version: Red Hat Enterprise Linux Application Streams Life Cycle | Red Hat Customer Portal means it’ll get security backports by red hat until end of el9 which is in 2032. In c9s it’s only until end of c9s – Expected EOL: End of RHEL9 - full support - Red Hat Enterprise Linux Life Cycle | Red Hat Customer Portal

Thank you @kurokobo and @Klaas for your answer! Now I understand. I missed that awx is built based on the centos9 image and nginx is in support as part of the distribution.
As I understand it, at the moment the only problem is that we are in the process of rebuilding AWX and no new awx containers have been created for some time now, which is why we are a few months behind with the nginx 1.20 version and rest of packages in c9s.