CVE-2016-4450 Nginx Vulnerabilities | Cloud Foundry

2016-07-13T00:00:00
ID CFOUNDRY:7E643D3894ADF4F839871B17C265A598
Type cloudfoundry
Reporter Cloud Foundry
Modified 2016-07-13T00:00:00

Description

CVE-2016-4450 Nginx Vulnerabilities

Medium

Vendor

nginx, Cloud Foundry

Versions Affected

  • nginx before 1.10.1 and 1.11.x versions before 1.11.1
  • Cloud Foundry staticfile buildpack prior to version 1.3.9
  • Cloud Foundry cf-release prior to version 238

Description

os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.

Mitigation

Users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry version 238 or later
  • Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection

References

  • <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450>