Nginx Security Vulnerabilities – Multiple Flaws Fixed


Product: Nginx


CVE Number: CVE-2018-16843, CVE-2018-16844, CVE-2018-16845

Impact: Low / Medium

Date: 2018-11-10


Product Description

nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. According to Netcraft, nginx served or proxied 25.28% busiest sites in October 2018.

Vulnerability Description

Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).

A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file (CVE-2018-16845).


Leave a Reply

Your email address will not be published. Required fields are marked *