nginx vulnerabilities (13 August 2019)



  • Several security issues were identified in nginx HTTP/2
    implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

    The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file.

    The issues affect nginx 1.9.5 - 1.17.2.
    The issues are fixed in nginx 1.17.3, 1.16.1.

    https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752

    https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/

    Today we are releasing updates to NGINX Open Source and NGINX Plus in response to the recent discovery of vulnerabilities in many implementations of HTTP/2. We strongly recommend upgrading all systems that have HTTP/2 enabled.
    In May 2019, researchers at Netflix discovered a number of security vulnerabilities in several HTTP/2 server implementations. These were responsibly reported to each of the vendors and maintainers concerned. NGINX was vulnerable to three attack vectors, as detailed in the following CVEs:

    • CVE-2019-9511 (Data dribble)
    • CVE-2019-9513 (Resource loop)
    • CVE-2019-9516 (Zero‑length headers leak)

    We have addressed these vulnerabilities, and added other HTTP/2 security safeguards, in the following NGINX versions:

    • NGINX 1.16.1 (stable)
    • NGINX 1.17.3 (mainline)
    • NGINX Plus R18 P1


  • I guess this should come in as an nginx update via ubuntu at some point. We don't package nginx ourselves.


Log in to reply