USN-2991-1 nginx vulnerability




Nginx, Canonical Ubuntu

Versions Affected
  • BOSH-release versions prior to 255.11

It was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.

Affected Pivotal Products and Versions
  • Pivotal Ops Manager 1.6.x versions prior to 1.6.15 AND 1.7.x versions prior to 1.7.6

Users of affected versions should apply the following mitigation:

  • For BOSH-only deployments, upgrade BOSH-release to version 255.11
  • For Pivotal Ops Manager deployments, upgrade 1.6.x versions to 1.6.15 or later OR 1.7.x versions to 1.7.6 or later

Special Note for 1.7.x Ops Manager Deployments

The 1.7.x release line of Ops Manager includes a new feature that allows tile stemcells to “float”, which will allow Operators to update their Ops Manager deployment once rather than installing all new Services product releases. If you upgrade one Service tile in Ops Manager 1.7.x with the newly released stemcell, all tiles will automatically upgrade. For more information about the floating stemcell feature, refer to this document.