7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.097 Low
EPSS
Percentile
94.7%
Issue Overview:
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file. (CVE-2018-16843)
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file. (CVE-2018-16844)
Affected Packages:
nginx
Issue Correction:
Run yum update nginx to update your system.
New Packages:
i686:
nginx-mod-stream-1.14.1-2.34.amzn1.i686
nginx-mod-http-geoip-1.14.1-2.34.amzn1.i686
nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.i686
nginx-debuginfo-1.14.1-2.34.amzn1.i686
nginx-mod-http-perl-1.14.1-2.34.amzn1.i686
nginx-mod-mail-1.14.1-2.34.amzn1.i686
nginx-mod-http-image-filter-1.14.1-2.34.amzn1.i686
nginx-all-modules-1.14.1-2.34.amzn1.i686
nginx-1.14.1-2.34.amzn1.i686
src:
nginx-1.14.1-2.34.amzn1.src
x86_64:
nginx-all-modules-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-image-filter-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-perl-1.14.1-2.34.amzn1.x86_64
nginx-debuginfo-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-geoip-1.14.1-2.34.amzn1.x86_64
nginx-mod-mail-1.14.1-2.34.amzn1.x86_64
nginx-1.14.1-2.34.amzn1.x86_64
nginx-mod-stream-1.14.1-2.34.amzn1.x86_64
nginx-mod-http-xslt-filter-1.14.1-2.34.amzn1.x86_64
Red Hat: CVE-2018-16843, CVE-2018-16844
Mitre: CVE-2018-16843, CVE-2018-16844
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.097 Low
EPSS
Percentile
94.7%