nginx vulnerabilities (13 August 2019)
-
Several security issues were identified in nginx HTTP/2
implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file.
The issues affect nginx 1.9.5 - 1.17.2.
The issues are fixed in nginx 1.17.3, 1.16.1.https://vuls.cert.org/confluence/pages/viewpage.action?pageId=56393752
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
Today we are releasing updates to NGINX Open Source and NGINX Plus in response to the recent discovery of vulnerabilities in many implementations of HTTP/2. We strongly recommend upgrading all systems that have HTTP/2 enabled.
In May 2019, researchers at Netflix discovered a number of security vulnerabilities in several HTTP/2 server implementations. These were responsibly reported to each of the vendors and maintainers concerned. NGINX was vulnerable to three attack vectors, as detailed in the following CVEs:- CVE-2019-9511 (Data dribble)
- CVE-2019-9513 (Resource loop)
- CVE-2019-9516 (Zero‑length headers leak)
We have addressed these vulnerabilities, and added other HTTP/2 security safeguards, in the following NGINX versions:
- NGINX 1.16.1 (stable)
- NGINX 1.17.3 (mainline)
- NGINX Plus R18 P1
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better đź’—
Register Login