Before people panic too much, while people should definitely upgrade ASAP. This exploit does require a hacked or otherwise broken backend. People cannot use this exploit to hack nginx remotely without already being able to manipulate an upstream.
Applications are broadly vulnerable to this problem. It's true that your app server and your web server will share the blame, but that's going to be cold comfort.
(This comment sounds more disagreeable than I mean it to; sorry, it's tricky for me to comment about this stuff).
