CVE-2018-16844

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions nginx versions 1.14.0 through 1.14.1 nginx versions 1.15.0 through 1.15.6

Description The issue is related to the implementation of HTTP/2 in nginx, which can lead to excessive CPU usage. This problem affects nginx compiled with the ngx http v2 module, but only if the 'http2' option of the 'listen' directive is used in a configuration file. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For versions 1.14.0 through 1.14.1, update to version 1.14.1 or later. For versions 1.15.0 through 1.15.6, update to version 1.15.6 or later. As a temporary workaround, consider disabling the ngx http v2 module module or removing the 'http2' option from the 'listen' directive in the configuration file until a patch is available.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2018-2601

BDU:2019-00983

CVE-2018-16844

DSA-4335-1

MGASA-2018-0459

OPENSUSE-SU-2019:0195-1

OPENSUSE-SU-2019:2120-1

OPENSUSE-SU-2019_0195-1

OPENSUSE-SU-2019_2120-1

RHSA-2018:3680

RHSA-2018:3681

SUSE-SU-2019:0334-1

SUSE-SU-2019:2309-1

USN-3812-1

Affected Products

Alt Linux

Apple Macos

Nginx

Suse

Ubuntu

CVE-2018-16844

Weakness Enumeration

Related Identifiers

Affected Products

References · 82