NGINX is exposed to security issues, which may cause more than 14 million servers to be vulnerable to DoS attacks. The vulnerabilities that cause the security issues are detected in the ngx_http_v2_module and ngx_http_mp4_module modules.

During HTTP/2 implementation in NGINX, two vulnerabilities are detected. If the http2 option of the listen directive is used in a configuration file, NGINX servers on which the ngx_http_v2_module module is compiled are affected. The ngx_http_v2_module module is not compiled by default. This may cause excessive memory usage (CVE-2018-16843) and high CPU utilization (CVE-2018-16844).

Attackers send specially crafted HTTP/2 requests to exploit the preceding vulnerabilities, which results in high CPU utilization and excessive memory usage. As such, DoS attacks are launched. All running but unpatched NGINX servers are vulnerable to DoS attacks.

Impact scope:
  • CVE-2018-16843 and CVE-2018-16844 affect some mainline NGINX versions: 1.9.5 or later, and 1.15.5 or earlier.
  • CVE-2018-16845 affects some mainline NGINX versions: 1.1.3 or later, and 1.0.7 or later.

Risk level: high

Rule-based defense: A virtual patch is available in the Cloud Firewall console to defend against this vulnerability.

Rule type: DoS attack