ID CVE-2018-16843
Summary nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
References
Vulnerable Configurations
  • Nginx 1.15.0
    cpe:2.3:a:nginx:nginx:1.15.0
  • Nginx 1.15.1
    cpe:2.3:a:nginx:nginx:1.15.1
  • Nginx 1.15.2
    cpe:2.3:a:nginx:nginx:1.15.2
  • Nginx 1.9.5
    cpe:2.3:a:nginx:nginx:1.9.5
  • Nginx 1.9.6
    cpe:2.3:a:nginx:nginx:1.9.6
  • Nginx 1.9.7
    cpe:2.3:a:nginx:nginx:1.9.7
  • Nginx 1.9.8
    cpe:2.3:a:nginx:nginx:1.9.8
  • Nginx 1.9.9
    cpe:2.3:a:nginx:nginx:1.9.9
  • Nginx 1.9.10
    cpe:2.3:a:nginx:nginx:1.9.10
  • Nginx 1.9.11
    cpe:2.3:a:nginx:nginx:1.9.11
  • Nginx 1.9.12
    cpe:2.3:a:nginx:nginx:1.9.12
  • Nginx 1.9.13
    cpe:2.3:a:nginx:nginx:1.9.13
  • Nginx 1.9.14
    cpe:2.3:a:nginx:nginx:1.9.14
  • Nginx 1.9.15
    cpe:2.3:a:nginx:nginx:1.9.15
  • Nginx 1.10.0
    cpe:2.3:a:nginx:nginx:1.10.0
  • Nginx 1.10.1
    cpe:2.3:a:nginx:nginx:1.10.1
  • Nginx 1.11.0
    cpe:2.3:a:nginx:nginx:1.11.0
  • Nginx 1.11.1
    cpe:2.3:a:nginx:nginx:1.11.1
  • Nginx 1.11.2
    cpe:2.3:a:nginx:nginx:1.11.2
  • Nginx 1.11.3
    cpe:2.3:a:nginx:nginx:1.11.3
  • Nginx 1.11.4
    cpe:2.3:a:nginx:nginx:1.11.4
  • Nginx 1.11.5
    cpe:2.3:a:nginx:nginx:1.11.5
  • Nginx 1.11.6
    cpe:2.3:a:nginx:nginx:1.11.6
  • Nginx 1.11.7
    cpe:2.3:a:nginx:nginx:1.11.7
  • Nginx 1.11.8
    cpe:2.3:a:nginx:nginx:1.11.8
  • Nginx 1.11.9
    cpe:2.3:a:nginx:nginx:1.11.9
  • Nginx 1.11.10
    cpe:2.3:a:nginx:nginx:1.11.10
  • Nginx 1.11.11
    cpe:2.3:a:nginx:nginx:1.11.11
  • Nginx 1.11.12
    cpe:2.3:a:nginx:nginx:1.11.12
  • Nginx 1.11.13
    cpe:2.3:a:nginx:nginx:1.11.13
  • Nginx 1.12.0
    cpe:2.3:a:nginx:nginx:1.12.0
  • Nginx 1.12.1
    cpe:2.3:a:nginx:nginx:1.12.1
  • Nginx 1.12.2
    cpe:2.3:a:nginx:nginx:1.12.2
  • Nginx 1.13.0
    cpe:2.3:a:nginx:nginx:1.13.0
  • Nginx 1.13.1
    cpe:2.3:a:nginx:nginx:1.13.1
  • Nginx 1.13.2
    cpe:2.3:a:nginx:nginx:1.13.2
  • Nginx 1.13.3
    cpe:2.3:a:nginx:nginx:1.13.3
  • Nginx 1.13.4
    cpe:2.3:a:nginx:nginx:1.13.4
  • Nginx 1.13.5
    cpe:2.3:a:nginx:nginx:1.13.5
  • Nginx 1.13.6
    cpe:2.3:a:nginx:nginx:1.13.6
  • Nginx 1.13.7
    cpe:2.3:a:nginx:nginx:1.13.7
  • Nginx 1.13.8
    cpe:2.3:a:nginx:nginx:1.13.8
  • Nginx 1.13.9
    cpe:2.3:a:nginx:nginx:1.13.9
  • Nginx 1.13.10
    cpe:2.3:a:nginx:nginx:1.13.10
  • Nginx 1.13.11
    cpe:2.3:a:nginx:nginx:1.13.11
  • Nginx 1.13.12
    cpe:2.3:a:nginx:nginx:1.13.12
  • Nginx 1.14.0
    cpe:2.3:a:nginx:nginx:1.14.0
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.04 LTS Edition
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Canonical Ubuntu Linux 18.10
    cpe:2.3:o:canonical:ubuntu_linux:18.10
CVSS
Base: 7.8
Impact:
Exploitability:
CWE CWE-400
CAPEC
  • XML Ping of the Death
    An attacker initiates a resource depletion attack where a large number of small XML messages are delivered at a sufficiently rapid rate to cause a denial of service or crash of the target. Transactions such as repetitive SOAP transactions can deplete resources faster than a simple flooding attack because of the additional resources used by the SOAP protocol and the resources necessary to process SOAP messages. The transactions used are immaterial as long as they cause resource utilization on the target. In other words, this is a normal flooding attack augmented by using messages that will require extra processing on the target.
  • XML Entity Expansion
    An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.
  • Inducing Account Lockout
    An attacker leverages the security functionality of the system aimed at thwarting potential attacks to launch a denial of service attack against a legitimate system user. Many systems, for instance, implement a password throttling mechanism that locks an account after a certain number of incorrect log in attempts. An attacker can leverage this throttling mechanism to lock a legitimate user out of their own account. The weakness that is being leveraged by an attacker is the very security feature that has been put in place to counteract attacks.
  • Violating Implicit Assumptions Regarding XML Content (aka XML Denial of Service (XDoS))
    XML Denial of Service (XDoS) can be applied to any technology that utilizes XML data. This is, of course, most distributed systems technology including Java, .Net, databases, and so on. XDoS is most closely associated with web services, SOAP, and Rest, because remote service requesters can post malicious XML payloads to the service provider designed to exhaust the service provider's memory, CPU, and/or disk space. The main weakness in XDoS is that the service provider generally must inspect, parse, and validate the XML messages to determine routing, workflow, security considerations, and so on. It is exactly these inspection, parsing, and validation routines that XDoS targets. There are three primary attack vectors that XDoS can navigate Target CPU through recursion: attacker creates a recursive payload and sends to service provider Target memory through jumbo payloads: service provider uses DOM to parse XML. DOM creates in memory representation of XML document, but when document is very large (for example, north of 1 Gb) service provider host may exhaust memory trying to build memory objects. XML Ping of death: attack service provider with numerous small files that clog the system. All of the above attacks exploit the loosely coupled nature of web services, where the service provider has little to no control over the service requester and any messages the service requester sends.
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3812-1.NASL
    description It was discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16843) Gal Goldshtein discovered that nginx incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause excessive CPU usage, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16844) It was discovered that nginx incorrectly handled the ngx_http_mp4_module module. A remote attacker could possibly use this issue with a specially crafted mp4 file to cause nginx to crash, stop responding, or access arbitrary memory. (CVE-2018-16845). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-13
    plugin id 118820
    published 2018-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118820
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : nginx vulnerabilities (USN-3812-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1125.NASL
    description nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16843) nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. (CVE-2018-16844)
    last seen 2019-01-16
    modified 2018-12-17
    plugin id 119688
    published 2018-12-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119688
    title Amazon Linux AMI : nginx (ALAS-2018-1125)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_84CA56BEE1DE11E8BCFD00E04C1EA73D.NASL
    description NGINX Team reports : Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file. A security issue was identified in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory isclosure by using a specially crafted mp4 file (CVE-2018-16845). The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the 'mp4' directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
    last seen 2019-01-16
    modified 2018-12-13
    plugin id 118754
    published 2018-11-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118754
    title FreeBSD : NGINX -- Multiple vulnerabilities (84ca56be-e1de-11e8-bcfd-00e04c1ea73d)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2019-2_0-0117_NGINX.NASL
    description An update of the nginx package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 122023
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122023
    title Photon OS 2.0: Nginx PHSA-2019-2.0-0117
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0201_NGINX.NASL
    description An update of the nginx package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121900
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121900
    title Photon OS 1.0: Nginx PHSA-2018-1.0-0201
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1399.NASL
    description According to the versions of the nginx package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.(CVE-2018-16843) - nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.(CVE-2018-16844) - An instance of missing input sanitization was found in the mp4 module for nginx. A local attacker could create a specially crafted video file that, when streamed by the server, would cause a denial of service (server crash or hang) and, possibly, information disclosure.(CVE-2018-16845) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-12-13
    plugin id 119527
    published 2018-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119527
    title EulerOS 2.0 SP3 : nginx (EulerOS-SA-2018-1399)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2019-195.NASL
    description This update for nginx fixes the following issues : nginx was updated to 1.14.2 : - Bugfix: nginx could not be built on Fedora 28 Linux. - Bugfix: in handling of client addresses when using unix domain listen sockets to work with datagrams on Linux. - Change: the logging level of the 'http request', 'https proxy request', 'unsupported protocol', 'version too low', 'no suitable key share', and 'no suitable signature algorithm' SSL errors has been lowered from 'crit' to 'info'. - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to switch off 'ssl_prefer_server_ciphers' in a virtual server if it was switched on in the default server. - Bugfix: nginx could not be built with LibreSSL 2.8.0. - Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL 1.1.1, the TLS 1.3 protocol was always enabled. - Bugfix: sending a disk-buffered request body to a gRPC backend might fail. - Bugfix: connections with some gRPC backends might not be cached when using the 'keepalive' directive. - Bugfix: a segmentation fault might occur in a worker process if the ngx_http_mp4_module was used on 32-bit platforms. Changes with nginx 1.14.1 : - Security: when using HTTP/2 a client might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). - Security: processing of a specially crafted mp4 file with the ngx_http_mp4_module might result in worker process memory disclosure (CVE-2018-16845). - Bugfix: working with gRPC backends might result in excessive memory consumption. Changes with nginx 1.13.12 : - Bugfix: connections with gRPC backends might be closed unexpectedly when returning a large response. Changes with nginx 1.13.10 - Feature: the 'set' parameter of the 'include' SSI directive now allows writing arbitrary responses to a variable; the 'subrequest_output_buffer_size' directive defines maximum response size. - Feature: now nginx uses clock_gettime(CLOCK_MONOTONIC) if available, to avoid timeouts being incorrectly triggered on system time changes. - Feature: the 'escape=none' parameter of the 'log_format' directive. Thanks to Johannes Baiter and Calin Don. - Feature: the $ssl_preread_alpn_protocols variable in the ngx_stream_ssl_preread_module. - Feature: the ngx_http_grpc_module. - Bugfix: in memory allocation error handling in the 'geo' directive. - Bugfix: when using variables in the 'auth_basic_user_file' directive a null character might appear in logs. Thanks to Vadim Filimonov.
    last seen 2019-02-20
    modified 2019-02-19
    plugin id 122295
    published 2019-02-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122295
    title openSUSE Security Update : nginx (openSUSE-2019-195)
  • NASL family Web Servers
    NASL id NGINX_1_15_6.NASL
    description According to its Server response header, the installed version of nginx is 1.x prior to 1.14.1 or 1.15.x prior to 1.15.6. It is, therefore, affected by the following issues : - An unspecified error exists related to the module 'ngx_http_v2_module' that allows excessive memory usage. (CVE-2016-16843) - An unspecified error exists related to the module 'ngx_http_v2_module' that allows excessive CPU usage. (CVE-2016-16844) - An unspecified error exists related to the module 'ngx_http_mp4_module' that allows worker process crashes or memory disclosure. (CVE-2016-16845)
    last seen 2019-01-16
    modified 2018-11-15
    plugin id 118956
    published 2018-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118956
    title nginx 1.x < 1.14.1 / 1.15.x < 1.15.6 Multiple Vulnerabilties
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4335.NASL
    description Three vulnerabilities were discovered in Nginx, a high-performance web and reverse proxy server, which could result in denial of service in processing HTTP/2 (via excessive memory/CPU usage) or server memory disclosure in the ngx_http_mp4_module module (used for server-side MP4 streaming).
    last seen 2019-01-16
    modified 2018-12-13
    plugin id 118840
    published 2018-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118840
    title Debian DSA-4335-1 : nginx - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2019-0334-1.NASL
    description This update for nginx to version 1.14.2 fixes the following issues : Security vulnerabilities addressed : CVE-2018-16843 CVE-2018-16844: Fixed an issue whereby a client using HTTP/2 might cause excessive memory consumption and CPU usage (bsc#1115025 bsc#1115022). CVE-2018-16845: Fixed an issue which might result in worker process memory disclosure whne processing of a specially crafted mp4 file with the ngx_http_mp4_module (bsc#1115015). Other bug fixes and changes made: Fixed an issue with handling of client addresses when using unix domain listen sockets to work with datagrams on Linux. The logging level of the 'http request', 'https proxy request', 'unsupported protocol', 'version too low', 'no suitable key share', and 'no suitable signature algorithm' SSL errors has been lowered from 'crit' to 'info'. Fixed an issue with using OpenSSL 1.1.0 or newer it was not possible to switch off 'ssl_prefer_server_ciphers' in a virtual server if it was switched on in the default server. Fixed an issue with TLS 1.3 always being enabled when built with OpenSSL 1.1.0 and used with 1.1.1 Fixed an issue with sending a disk-buffered request body to a gRPC backend Fixed an issue with connections of some gRPC backends might not be cached when using the 'keepalive' directive. Fixed a segmentation fault, which might occur in a worker process if the ngx_http_mp4_module was used on 32-bit platforms. Fixed an issue, whereby working with gRPC backends might result in excessive memory consumption. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-14
    modified 2019-02-13
    plugin id 122147
    published 2019-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=122147
    title SUSE SLES15 Security Update : nginx (SUSE-SU-2019:0334-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-7C540FDAB4.NASL
    description Security fix for CVE-2018-16843, CVE-2018-16844, CVE-2018-16845 + nginx rebase to 1.14.1. ---- New version 1.14.1 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-03
    plugin id 120557
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120557
    title Fedora 29 : 1:nginx (2018-7c540fdab4)
redhat via4
advisories
  • rhsa
    id RHSA-2018:3653
  • rhsa
    id RHSA-2018:3680
  • rhsa
    id RHSA-2018:3681
refmap via4
bid 105868
confirm https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16843
debian DSA-4335
misc http://mailman.nginx.org/pipermail/nginx-announce/2018/000220.html
sectrack 1042038
ubuntu USN-3812-1
Last major update 07-11-2018 - 09:29
Published 07-11-2018 - 09:29
Last modified 12-12-2018 - 14:47
Back to Top