os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.

redhat RHSA-2016:1425: RHSA-2016:1425: rh-nginx18-nginx security update (Moderate)

The version of Palo Alto Networks PAN-OS running on the remote host is 7.1.x prior to 8.1.14 or 8.0.x prior to 8.1.14 or 8.1.x prior to 8.1.14 or 9.0.x prior to 9.0.7. It is, therefore, affected by a vulnerability.

  - The default configuration of nginx, possibly 1.3.13 and earlier, uses world-readable     permissions for the (1) access.log and (2) error.log files, which allows local users     to obtain sensitive information by reading the files. (CVE-2013-0337)   
  - os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote     attackers to cause a denial of service (NULL pointer dereference and worker process     crash) via a crafted request, involving writing a client request body to a temporary     file. (CVE-2016-4450)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the nginx package has been released.

According to the self-reported version in its response header, the version of nginx hosted on the remote web server is < 1.11.1. It is, therefore, affected by an NULL pointer dereference vulnerability

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the self-reported version in its response header, the version of nginx hosted on the remote web server is less than 1.10.1,  or 1.11.x less than 1.11.1. It is, therefore, affected by a denial of  service vulnerability

The version of Arista Networks EOS running on the remote device is affected by a denial of service vulnerability in NGINX due to a NULL pointer dereference flaw in the ngx_chain_to_iovec() function within file os/unix/ngx_files.c when handling specially crafted requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request to write a client request body to a temporary file, to crash a worker process.

The remote host is affected by the vulnerability described in GLSA-201606-06 (nginx: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in nginx. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition via       a crafted packet.
  Workaround :

    There is no known workaround at this time.

This update for nginx fixes the following vulnerability :

  - CVE-2016-4450: Remote attackers could have caused a     denial of service (NULL pointer dereference and worker     process crash) via a crafted request, involving writing     a client request body to a temporary file.

fix CVE-2016-4450

----

update to upstream release 1.8.1 to fix CVE-2016-4450

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

update to upstream release 1.10.1 to fix CVE-2016-4450

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.

It was discovered that nginx incorrectly handled saving client request bodies to temporary files. A remote attacker could possibly use this issue to cause nginx to crash, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that a NULL pointer dereference in the Nginx code responsible for saving client request bodies to a temporary file might result in denial of service: Malformed requests could crash worker processes.

Maxim Dounin reports :

A problem was identified in nginx code responsible for saving client request body to a temporary file. A specially crafted request might result in worker process crash due to a NULL pointer dereference while writing client request body to a temporary file.

ID	Name	Product	Family	Severity
136826	Palo Alto Networks PAN-OS 7.1.x < 8.1.14 / 8.0.x < 8.1.14 / 8.1.x < 8.1.14 / 9.0.x < 9.0.7 Vulnerability	Nessus	Palo Alto Local Security Checks	high
121651	Photon OS 1.0: Nginx PHSA-2016-0012	Nessus	PhotonOS Local Security Checks	high
98965	Nginx < 1.10.1 NULL Pointer Dereference	Web App Scanning	Component Vulnerability	high
98964	Nginx < 1.11.1 NULL Pointer Dereference	Web App Scanning	Component Vulnerability	high
118150	nginx < 1.10.1 / 1.11.x < 1.11.1 Denial-of-Service Vulnerability	Nessus	Web Servers	high
107063	Arista Networks EOS ngx_chain_to_iovec NULL Pointer Deference DoS (SA0021)	Nessus	Misc.	high
103587	GLSA-201606-06 : nginx: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
96943	openSUSE Security Update : nginx (openSUSE-2017-192)	Nessus	SuSE Local Security Checks	high
92194	Fedora 23 : 1:nginx (2016-ea323bd6cf)	Nessus	Fedora Local Security Checks	high
92155	Fedora 24 : 1:nginx (2016-c329fc4c32)	Nessus	Fedora Local Security Checks	high
91629	Amazon Linux AMI : nginx (ALAS-2016-715)	Nessus	Amazon Linux Local Security Checks	high
91451	Ubuntu 14.04 LTS / 16.04 LTS : nginx vulnerability (USN-2991-1)	Nessus	Ubuntu Local Security Checks	high
91431	Debian DSA-3592-1 : nginx - security update	Nessus	Debian Local Security Checks	high
91399	FreeBSD : nginx -- a specially crafted request might result in worker process crash (36cf7670-2774-11e6-af29-f0def16c5c1b)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-4450

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high