Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Several Vulnerabilities Patched in nginx

Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.

In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.

Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.

One of the flaws, tracked as CVE-2018-16843, can result in excessive memory consumption. The other security bug, discovered by Gal Goldshtein from F5 Networks and identified as CVE-2018-16844, can cause excessive CPU usage.

“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file,” explained nginx core developer Maxim Dounin.

Website administrators using nginx were also informed of a security hole affecting the ngx_http_mp4_module module, which provides pseudo-streaming support for MP4 media files.

The vulnerability, tracked as CVE-2018-16845, can allow an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.

“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the ‘mp4’ directive is used in the configuration file,” Dounin explained. “Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.”

This vulnerability impacts nginx 1.1.3 and later and 1.0.7 and later, and it was also patched with the release of versions 1.15.6 and 1.14.1 on November 6.

Related: Crypto-Mining Attack Targets Web Servers Globally

Related: LimeSurvey Flaws Expose Web Servers to Attacks

Related: Devices Running GoAhead Web Server Prone to Remote Attacks

Related: Web Server Used in 100 ICS Products Affected by Critical Flaw

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.