[SingCERT] Alert on Nginx Vulnerabilities (CVE-2018-16843, CVE-2018-16844, and CVE-2018-16845)

Published on Thursday, 08 November 2018 18:11

Background

Nginx is a free, open-source and high-performance web server used in over 14 million sites, including websites of companies such as Dropbox, Netflix, and Wordpress.com.

Nginx has announced security patches for three vulnerabilities, which can result in a Denial of Service (DoS) and/or Data Exfiltration:

  • CVE-2018-16843 and CVE-2018-16844 are vulnerabilities in the ngx_http_v2_module, and could allow an attacker to send maliciously crafted web requests which can cause excessive memory consumption and CPU usage, hence resulting in a DoS state for the server.
  • CVE-2018-16845 is a vulnerability in the ngx_http_mp4_module, which could cause a crash, and leak memory data when processing a malicious mp4 file.


Affected Products

The following software versions are vulnerable:
•    Nginx 1.1.3+
•    Nginx 1.0.7+
•    Nginx 1.9.5 - 1.15.5


Impact

Successful exploitation of these vulnerabilities could allow attackers to perform a DoS attack which can disrupt service to legitimate users, and memory data which may contain sensitive information to be exfiltrated.


Recommendations

System administrators and website owners using affected Nginx software should upgrade to the latest versions - Nginx 1.15.6 or Nginx 1.14.1 at http://nginx.org/en/download.html.


References

https://news.softpedia.com/news/nginx-security-issues-expose-more-than-14-million-servers-to-dos-attacks-523659.shtml
http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html
http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html