CVE-2016-4450 Nginx Vulnerabilities


Severity

Medium

Vendor

nginx, Cloud Foundry

Versions Affected
  • nginx before 1.10.1 and 1.11.x versions before 1.11.1
  • Cloud Foundry staticfile buildpack prior to version 1.3.9
  • Cloud Foundry cf-release prior to version 238
Description

os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal OpsManager 1.6.x versions prior to 1.6.15 AND 1.7.x versions prior to 1.7.6
  • Pivotal Elastic Runtime 1.6.x versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11
Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry version 238 or later
  • Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection

Users are strongly encouraged to follow the mitigation below:

  • Upgrade Pivotal OpsManager 1.6.x versions to 1.6.15 or later OR 1.7.x versions to 1.7.6 or later
  • Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.33 or later OR 1.7.x versions to 1.7.11 or later
  • Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection. For more information, refer to the CF CLI documentation.

References