Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.
One of the flaws, tracked as CVE-2018-16843, can result in excessive memory consumption. The other security bug, discovered by Gal Goldshtein from F5 Networks and identified as CVE-2018-16844, can cause excessive CPU usage.
“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file,” explained nginx core developer Maxim Dounin.
Website administrators using nginx were also informed of a security hole affecting the ngx_http_mp4_module module, which provides pseudo-streaming support for MP4 media files.
The vulnerability, tracked as CVE-2018-16845, can allow an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.
“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the ‘mp4’ directive is used in the configuration file,” Dounin explained. “Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.”
This vulnerability impacts nginx 1.1.3 and later and 1.0.7 and later, and it was also patched with the release of versions 1.15.6 and 1.14.1 on November 6.