Vulnerabilities > CVE-2018-16845 - Resource Exhaustion vulnerability in multiple products

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
PARTIAL

Summary

nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.

Vulnerable Configurations

Part Description Count
Application
F5
150
Application
Apple
84
OS
Debian
2
OS
Canonical
4
OS
Opensuse
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1572.NASL
    descriptionIt was discovered that there was a denial of service (DoS) vulnerability in the nginx web/proxy server. As there was no validation for the size of a 64-bit atom in an MP4 file, this could have led to a CPU hog when the size was 0, or various other problems due to integer underflow when the calculating atom data size, including segmentation faults or even worker-process memory disclosure. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id118839
    published2018-11-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118839
    titleDebian DLA-1572-1 : nginx security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1572-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118839);
      script_version("1.4");
      script_cvs_date("Date: 2019/04/26 11:34:29");
    
      script_cve_id("CVE-2018-16845");
    
      script_name(english:"Debian DLA-1572-1 : nginx security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that there was a denial of service (DoS)
    vulnerability in the nginx web/proxy server.
    
    As there was no validation for the size of a 64-bit atom in an MP4
    file, this could have led to a CPU hog when the size was 0, or various
    other problems due to integer underflow when the calculating atom data
    size, including segmentation faults or even worker-process memory
    disclosure.
    
    For Debian 8 'Jessie', this issue has been fixed in nginx version
    1.6.2-5+deb8u6.
    
    We recommend that you upgrade your nginx packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/11/msg00010.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/nginx"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-extras");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-extras-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-full");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-full-dbg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-light");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-light-dbg");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"nginx", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-common", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-doc", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-extras", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-extras-dbg", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-full", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-full-dbg", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-light", reference:"1.6.2-5+deb8u6")) flag++;
    if (deb_check(release:"8.0", prefix:"nginx-light-dbg", reference:"1.6.2-5+deb8u6")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-1_0-0211_NGINX.NASL
    descriptionAn update of the nginx package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122895
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122895
    titlePhoton OS 1.0: Nginx PHSA-2019-1.0-0211
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2019-1.0-0211. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122895);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/04");
    
      script_cve_id("CVE-2018-16845");
    
      script_name(english:"Photon OS 1.0: Nginx PHSA-2019-1.0-0211");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the nginx package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-211.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16845");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-1.0", reference:"nginx-1.13.8-7.ph1")) flag++;
    if (rpm_check(release:"PhotonOS-1.0", reference:"nginx-debuginfo-1.13.8-7.ph1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2309-1.NASL
    descriptionThis update for nginx fixes the following issues : Security issues fixed : CVE-2019-9511: Fixed a denial of service by manipulating the window size and stream prioritization (bsc#1145579). CVE-2019-9513: Fixed a denial of service caused by resource loops (bsc#1145580). CVE-2019-9516: Fixed a denial of service caused by header leaks (bsc#1145582). CVE-2018-16845: Fixed denial of service and memory disclosure via mp4 module (bsc#1115015). CVE-2018-16843: Fixed excessive memory consumption in HTTP/2 implementation (bsc#1115022). CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2 implementation (bsc#1115025). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128544
    published2019-09-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128544
    titleSUSE SLES15 Security Update : nginx (SUSE-SU-2019:2309-1) (0-Length Headers Leak) (Data Dribble) (Resource Loop)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:2309-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128544);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2018-16843", "CVE-2018-16844", "CVE-2018-16845", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9516");
    
      script_name(english:"SUSE SLES15 Security Update : nginx (SUSE-SU-2019:2309-1) (0-Length Headers Leak) (Data Dribble) (Resource Loop)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for nginx fixes the following issues :
    
    Security issues fixed :
    
    CVE-2019-9511: Fixed a denial of service by manipulating the window
    size and stream prioritization (bsc#1145579).
    
    CVE-2019-9513: Fixed a denial of service caused by resource loops
    (bsc#1145580).
    
    CVE-2019-9516: Fixed a denial of service caused by header leaks
    (bsc#1145582).
    
    CVE-2018-16845: Fixed denial of service and memory disclosure via mp4
    module (bsc#1115015).
    
    CVE-2018-16843: Fixed excessive memory consumption in HTTP/2
    implementation (bsc#1115022).
    
    CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2
    implementation (bsc#1115025).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115015"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115022"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1115025"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1145579"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1145580"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1145582"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-16843/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-16844/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-16845/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9511/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9513/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9516/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-20192309-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b73be31f"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in
    -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2309=1
    
    SUSE Linux Enterprise Module for Open Buildservice Development Tools
    15-SP1:zypper in -t patch
    SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2309=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16845");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nginx-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/06");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES15", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES15", sp:"1", reference:"nginx-1.14.2-6.3.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"nginx-debuginfo-1.14.2-6.3.1")) flag++;
    if (rpm_check(release:"SLES15", sp:"1", reference:"nginx-debugsource-1.14.2-6.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-7C540FDAB4.NASL
    descriptionSecurity fix for CVE-2018-16843, CVE-2018-16844, CVE-2018-16845 + nginx rebase to 1.14.1. ---- New version 1.14.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2019-01-03
    plugin id120557
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120557
    titleFedora 29 : 1:nginx (2018-7c540fdab4)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2018-7c540fdab4.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(120557);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2018-16843", "CVE-2018-16844", "CVE-2018-16845");
      script_xref(name:"FEDORA", value:"2018-7c540fdab4");
    
      script_name(english:"Fedora 29 : 1:nginx (2018-7c540fdab4)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2018-16843, CVE-2018-16844, CVE-2018-16845 +
    nginx rebase to 1.14.1.
    
    ----
    
    New version 1.14.1
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7c540fdab4"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:nginx package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16845");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC29", reference:"nginx-1.14.1-2.fc29", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:nginx");
    }
    
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2019-2_0-0132_NGINX.NASL
    descriptionAn update of the nginx package has been released.
    last seen2020-06-01
    modified2020-06-02
    plugin id122908
    published2019-03-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122908
    titlePhoton OS 2.0: Nginx PHSA-2019-2.0-0132
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    # The descriptive text and package checks in this plugin were
    # extracted from VMware Security Advisory PHSA-2019-2.0-0132. The text
    # itself is copyright (C) VMware, Inc.
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122908);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/04");
    
      script_cve_id("CVE-2018-16845");
    
      script_name(english:"Photon OS 2.0: Nginx PHSA-2019-2.0-0132");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote PhotonOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "An update of the nginx package has been released.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-2-132.md");
      script_set_attribute(attribute:"solution", value:
    "Update the affected Linux packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-17246");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:2.0");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"PhotonOS Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/PhotonOS/release");
    if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
    if (release !~ "^VMware Photon (?:Linux|OS) 2\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 2.0");
    
    if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);
    
    flag = 0;
    
    if (rpm_check(release:"PhotonOS-2.0", reference:"nginx-1.13.10-2.ph2")) flag++;
    if (rpm_check(release:"PhotonOS-2.0", reference:"nginx-debuginfo-1.13.10-2.ph2")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2120.NASL
    descriptionThis update for nginx fixes the following issues : Security issues fixed : - CVE-2019-9511: Fixed a denial of service by manipulating the window size and stream prioritization (bsc#1145579). - CVE-2019-9513: Fixed a denial of service caused by resource loops (bsc#1145580). - CVE-2019-9516: Fixed a denial of service caused by header leaks (bsc#1145582). - CVE-2018-16845: Fixed denial of service and memory disclosure via mp4 module (bsc#1115015). - CVE-2018-16843: Fixed excessive memory consumption in HTTP/2 implementation (bsc#1115022). - CVE-2018-16844: Fixed excessive CPU usage via flaw in HTTP/2 implementation (bsc#1115025). This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128671
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128671
    titleopenSUSE Security Update : nginx (openSUSE-2019-2120) (0-Length Headers Leak) (Data Dribble) (Resource Loop)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-2120.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(128671);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/27");
    
      script_cve_id("CVE-2018-16843", "CVE-2018-16844", "CVE-2018-16845", "CVE-2019-9511", "CVE-2019-9513", "CVE-2019-9516");
    
      script_name(english:"openSUSE Security Update : nginx (openSUSE-2019-2120) (0-Length Headers Leak) (Data Dribble) (Resource Loop)");
      script_summary(english:"Check for the openSUSE-2019-2120 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for nginx fixes the following issues :
    
    Security issues fixed :
    
      - CVE-2019-9511: Fixed a denial of service by manipulating
        the window size and stream prioritization (bsc#1145579).
    
      - CVE-2019-9513: Fixed a denial of service caused by
        resource loops (bsc#1145580).
    
      - CVE-2019-9516: Fixed a denial of service caused by
        header leaks (bsc#1145582).
    
      - CVE-2018-16845: Fixed denial of service and memory
        disclosure via mp4 module (bsc#1115015).
    
      - CVE-2018-16843: Fixed excessive memory consumption in
        HTTP/2 implementation (bsc#1115022).
    
      - CVE-2018-16844: Fixed excessive CPU usage via flaw in
        HTTP/2 implementation (bsc#1115025).
    
    This update was imported from the SUSE:SLE-15-SP1:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115015"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115022"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115025"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1145579"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1145580"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1145582"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected nginx packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16845");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-plugin-nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/09/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/11");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.1", reference:"nginx-1.14.2-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"nginx-debuginfo-1.14.2-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"nginx-debugsource-1.14.2-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"nginx-source-1.14.2-lp151.4.3.1") ) flag++;
    if ( rpm_check(release:"SUSE15.1", reference:"vim-plugin-nginx-1.14.2-lp151.4.3.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo / nginx-debugsource / nginx-source / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4335.NASL
    descriptionThree vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could result in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).
    last seen2020-06-01
    modified2020-06-02
    plugin id118840
    published2018-11-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118840
    titleDebian DSA-4335-1 : nginx - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4335. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(118840);
      script_version("1.6");
      script_cvs_date("Date: 2019/04/26 11:34:29");
    
      script_cve_id("CVE-2018-16843", "CVE-2018-16844", "CVE-2018-16845");
      script_xref(name:"DSA", value:"4335");
    
      script_name(english:"Debian DSA-4335-1 : nginx - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Three vulnerabilities were discovered in Nginx, a high-performance web
    and reverse proxy server, which could result in denial of service in
    processing HTTP/2 (via excessive memory/CPU usage) or server memory
    disclosure in the ngx_http_mp4_module module (used for server-side MP4
    streaming)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/nginx"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/nginx"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2018/dsa-4335"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the nginx packages.
    
    For the stable distribution (stretch), these problems have been fixed
    in version 1.10.3-1+deb9u2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-auth-pam", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-cache-purge", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-dav-ext", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-echo", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-fancyindex", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-geoip", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-headers-more-filter", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-image-filter", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-lua", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-ndk", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-perl", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-subs-filter", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-uploadprogress", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-upstream-fair", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-http-xslt-filter", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-mail", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-nchan", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"libnginx-mod-stream", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx-common", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx-doc", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx-extras", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx-full", reference:"1.10.3-1+deb9u2")) flag++;
    if (deb_check(release:"9.0", prefix:"nginx-light", reference:"1.10.3-1+deb9u2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-195.NASL
    descriptionThis update for nginx fixes the following issues : nginx was updated to 1.14.2 : - Bugfix: nginx could not be built on Fedora 28 Linux. - Bugfix: in handling of client addresses when using unix domain listen sockets to work with datagrams on Linux. - Change: the logging level of the
    last seen2020-05-31
    modified2019-02-19
    plugin id122295
    published2019-02-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122295
    titleopenSUSE Security Update : nginx (openSUSE-2019-195)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-195.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122295);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26");
    
      script_cve_id("CVE-2018-16843", "CVE-2018-16844", "CVE-2018-16845");
    
      script_name(english:"openSUSE Security Update : nginx (openSUSE-2019-195)");
      script_summary(english:"Check for the openSUSE-2019-195 patch");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update for nginx fixes the following issues :
    
    nginx was updated to 1.14.2 :
    
      - Bugfix: nginx could not be built on Fedora 28 Linux.
    
      - Bugfix: in handling of client addresses when using unix
        domain listen sockets to work with datagrams on Linux.
    
      - Change: the logging level of the 'http request', 'https
        proxy request', 'unsupported protocol', 'version too
        low', 'no suitable key share', and 'no suitable
        signature algorithm' SSL errors has been lowered from
        'crit' to 'info'.
    
      - Bugfix: when using OpenSSL 1.1.0 or newer it was not
        possible to switch off 'ssl_prefer_server_ciphers' in a
        virtual server if it was switched on in the default
        server.
    
      - Bugfix: nginx could not be built with LibreSSL 2.8.0.
    
      - Bugfix: if nginx was built with OpenSSL 1.1.0 and used
        with OpenSSL 1.1.1, the TLS 1.3 protocol was always
        enabled.
    
      - Bugfix: sending a disk-buffered request body to a gRPC
        backend might fail.
    
      - Bugfix: connections with some gRPC backends might not be
        cached when using the 'keepalive' directive.
    
      - Bugfix: a segmentation fault might occur in a worker
        process if the ngx_http_mp4_module was used on 32-bit
        platforms.
    
    Changes with nginx 1.14.1 :
    
      - Security: when using HTTP/2 a client might cause
        excessive memory consumption (CVE-2018-16843) and CPU
        usage (CVE-2018-16844).
    
      - Security: processing of a specially crafted mp4 file
        with the ngx_http_mp4_module might result in worker
        process memory disclosure (CVE-2018-16845).
    
      - Bugfix: working with gRPC backends might result in
        excessive memory consumption.
    
    Changes with nginx 1.13.12 :
    
      - Bugfix: connections with gRPC backends might be closed
        unexpectedly when returning a large response.
    
    Changes with nginx 1.13.10
    
      - Feature: the 'set' parameter of the 'include' SSI
        directive now allows writing arbitrary responses to a
        variable; the 'subrequest_output_buffer_size' directive
        defines maximum response size.
    
      - Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC)
        if available, to avoid timeouts being incorrectly
        triggered on system time changes.
    
      - Feature: the 'escape=none' parameter of the 'log_format'
        directive. Thanks to Johannes Baiter and Calin Don.
    
      - Feature: the $ssl_preread_alpn_protocols variable in the
        ngx_stream_ssl_preread_module.
    
      - Feature: the ngx_http_grpc_module.
    
      - Bugfix: in memory allocation error handling in the 'geo'
        directive.
    
      - Bugfix: when using variables in the
        'auth_basic_user_file' directive a null character might
        appear in logs. Thanks to Vadim Filimonov."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115015"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115022"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1115025"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected nginx packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-16845");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nginx-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vim-plugin-nginx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"nginx-1.14.2-lp150.2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"nginx-debuginfo-1.14.2-lp150.2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"nginx-debugsource-1.14.2-lp150.2.4.1") ) flag++;
    if ( rpm_check(release:"SUSE15.0", reference:"vim-plugin-nginx-1.14.2-lp150.2.4.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "nginx / nginx-debuginfo / nginx-debugsource / vim-plugin-nginx");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1399.NASL
    descriptionAccording to the versions of the nginx package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the
    last seen2020-05-15
    modified2018-12-10
    plugin id119527
    published2018-12-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119527
    titleEulerOS 2.0 SP3 : nginx (EulerOS-SA-2018-1399)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0334-1.NASL
    descriptionThis update for nginx to version 1.14.2 fixes the following issues : Security vulnerabilities addressed : CVE-2018-16843 CVE-2018-16844: Fixed an issue whereby a client using HTTP/2 might cause excessive memory consumption and CPU usage (bsc#1115025 bsc#1115022). CVE-2018-16845: Fixed an issue which might result in worker process memory disclosure whne processing of a specially crafted mp4 file with the ngx_http_mp4_module (bsc#1115015). Other bug fixes and changes made: Fixed an issue with handling of client addresses when using unix domain listen sockets to work with datagrams on Linux. The logging level of the
    last seen2020-06-01
    modified2020-06-02
    plugin id122147
    published2019-02-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122147
    titleSUSE SLES15 Security Update : nginx (SUSE-SU-2019:0334-1)
  • NASL familyWeb Servers
    NASL idNGINX_1_15_6.NASL
    descriptionAccording to its Server response header, the installed version of nginx is 1.x prior to 1.14.1 or 1.15.x prior to 1.15.6. It is, therefore, affected by the following issues : - An unspecified error exists related to the module
    last seen2020-05-09
    modified2018-11-14
    plugin id118956
    published2018-11-14
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118956
    titlenginx 1.x < 1.14.1 / 1.15.x < 1.15.6 Multiple Vulnerabilties
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3812-1.NASL
    descriptionIt was discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16843) Gal Goldshtein discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive CPU usage, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16844) It was discovered that nginx incorrectly handled the ngx_http_mp4_module module. A remote attacker could possibly use this issue with a specially crafted mp4 file to cause nginx to crash, stop responding, or access arbitrary memory. (CVE-2018-16845). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id118820
    published2018-11-08
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118820
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : nginx vulnerabilities (USN-3812-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_84CA56BEE1DE11E8BCFD00E04C1EA73D.NASL
    descriptionNGINX Team reports : Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the
    last seen2020-06-01
    modified2020-06-02
    plugin id118754
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118754
    titleFreeBSD : NGINX -- Multiple vulnerabilities (84ca56be-e1de-11e8-bcfd-00e04c1ea73d)

Redhat

advisories
  • rhsa
    idRHSA-2018:3652
  • rhsa
    idRHSA-2018:3653
  • rhsa
    idRHSA-2018:3680
  • rhsa
    idRHSA-2018:3681
rpms
  • rh-nginx18-nginx-1:1.8.1-1.el6.1
  • rh-nginx18-nginx-1:1.8.1-1.el7.1
  • rh-nginx18-nginx-debuginfo-1:1.8.1-1.el6.1
  • rh-nginx18-nginx-debuginfo-1:1.8.1-1.el7.1
  • rh-nginx110-nginx-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-debuginfo-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-debuginfo-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-mod-http-image-filter-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-mod-http-image-filter-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-mod-http-perl-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-mod-http-perl-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-mod-http-xslt-filter-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-mod-http-xslt-filter-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-mod-mail-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-mod-mail-1:1.10.2-8.el7.1
  • rh-nginx110-nginx-mod-stream-1:1.10.2-8.el6.1
  • rh-nginx110-nginx-mod-stream-1:1.10.2-8.el7.1
  • rh-nginx112-nginx-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-debuginfo-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-mod-http-image-filter-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-mod-http-perl-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-mod-http-xslt-filter-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-mod-mail-1:1.12.1-2.el7.1
  • rh-nginx112-nginx-mod-stream-1:1.12.1-2.el7.1
  • rh-nginx114-nginx-1:1.14.1-1.el7
  • rh-nginx114-nginx-debuginfo-1:1.14.1-1.el7
  • rh-nginx114-nginx-mod-http-image-filter-1:1.14.1-1.el7
  • rh-nginx114-nginx-mod-http-perl-1:1.14.1-1.el7
  • rh-nginx114-nginx-mod-http-xslt-filter-1:1.14.1-1.el7
  • rh-nginx114-nginx-mod-mail-1:1.14.1-1.el7
  • rh-nginx114-nginx-mod-stream-1:1.14.1-1.el7