Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Patched in nginx

Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.

Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.

One of the flaws, tracked as CVE-2018-16843, can result in excessive memory consumption. The other security bug, discovered by Gal Goldshtein from F5 Networks and identified as CVE-2018-16844, can cause excessive CPU usage.

“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file,” explained nginx core developer Maxim Dounin.

Website administrators using nginx were also informed of a security hole affecting the ngx_http_mp4_module module, which provides pseudo-streaming support for MP4 media files.

The vulnerability, tracked as CVE-2018-16845, can allow an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.

“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the ‘mp4’ directive is used in the configuration file,” Dounin explained. “Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.”

Advertisement. Scroll to continue reading.

This vulnerability impacts nginx 1.1.3 and later and 1.0.7 and later, and it was also patched with the release of versions 1.15.6 and 1.14.1 on November 6.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: LimeSurvey Flaws Expose Web Servers to Attacks

Related: Devices Running GoAhead Web Server Prone to Remote Attacks

Related: Web Server Used in 100 ICS Products Affected by Critical Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.