Nginx development team released versions 1.15.6 and 1.14.1 to address two HTTP/2 implementation vulnerabilities that can cause a DoS condition in Nginx versions 1.9.5 through 1.15.5.
Two security flaws affecting the nginx HTTP/2 implementation, tracked as CVE-2018-16843 and CVE-2018-16844, might respectively cause excessive memory consumption and CPU usage,
The CVE-2018-16844 flaw was discovered by Gal Goldshtein from F5 Networks.
“Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).” wrotenginx core developer Maxim Dounin.
“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.”
At the time of writing, querying the Shodan search engine it is possible to find more than 1 million servers running unpatched nginx versions.
nginx team also fixed a flaw affecting the ngx_http_mp4_module module (CVE-2018-16845) that could be exploited by an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.
“nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file.” reads the security advisory published by NVD.
“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
The CVE-2018-16845 flaw affects nginx 1.1.3 and later and 1.0.7 and later, nginx team fixed it with the release of versions 1.15.6 and 1.14.1.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.