EulerOS 2.0 SP3 : nginx (EulerOS-SA-2018-1399)

High Nessus Plugin ID 119527

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the nginx package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.(CVE-2018-16843)

- nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.(CVE-2018-16844)

- An instance of missing input sanitization was found in the mp4 module for nginx. A local attacker could create a specially crafted video file that, when streamed by the server, would cause a denial of service (server crash or hang) and, possibly, information disclosure.(CVE-2018-16845)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected nginx packages.

See Also

http://www.nessus.org/u?d6876f3b

Plugin Details

Severity: High

ID: 119527

File Name: EulerOS_SA-2018-1399.nasl

Version: 1.3

Type: local

Published: 2018/12/10

Updated: 2019/06/28

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:nginx, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Patch Publication Date: 2018/11/26

Reference Information

CVE: CVE-2018-16843, CVE-2018-16844, CVE-2018-16845