PT-2016-4400 · Nginx+3 · Nginx+3

Martin Prpič

Published

2016-01-26

Updated

2024-06-15

CVE-2016-0747

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions nginx versions 1.8.0 through 1.8.1 nginx versions 1.9.x through 1.9.10

Description The issue is related to the resolver in nginx not properly limiting CNAME resolution. This allows remote attackers to cause a denial of service by consuming worker process resources via vectors related to arbitrary name resolution.

Recommendations For nginx versions 1.8.0 through 1.8.1, update to version 1.8.1 or later to resolve the issue. For nginx versions 1.9.x through 1.9.10, update to version 1.9.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the resolver to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2016-1070

CVE-2016-0747

DSA-3473-1

MGASA-2016-0065

OPENSUSE-SU-2024:10044-1

RHSA-2016:1425

SUSE-SU-2016:1232-1

USN-2892-1

Affected Products

Alt Linux

Apple Macos

Nginx

Ubuntu

PT-2016-4400 · Nginx+3 · Nginx+3

CVE-2016-0747

Weakness Enumeration

Related Identifiers

Affected Products

References · 58