All Vulnerability Reports

USN-3812-1: nginx vulnerabilities


Severity

Medium

Vendor

Canonical Ubuntu

Description

It was discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16843)

Gal Goldshtein discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive CPU usage, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16844)

It was discovered that nginx incorrectly handled the ngx_http_mp4_module module. A remote attacker could possibly use this issue with a specially crafted mp4 file to cause nginx to crash, stop responding, or access arbitrary memory. (CVE-2018-16845)

CVEs contained in this USN include: CVE-2018-16843, CVE-2018-16844, CVE-2018-16845

Affected Pivotal Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Operations Manager is vulnerable in the following releases:
    • 2.3.x versions prior to 2.3.6
    • 2.2.x versions prior to 2.2.10
    • 2.1.x versions prior to 2.1.19
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal Operations Manager: 2.3.6, 2.2.10, 2.1.19
References