IBMAC622A6187A7992B3F04C541A8233851E516021322B7E8B55DBFE6D0C8088EADSecurity Bulletin: Security Vulnerabilities affect IBM Cloud Private - nginx (CVE-2018-16844, CVE-2018-16845, CVE-2018-16843, CVE-2019-7401)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.097 Low
EPSS
Percentile
94.7%
Summary
Security Vulnerabilities affect IBM Cloud Private - nginx
Vulnerability Details
CVEID:CVE-2018-16844
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152680 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2018-16845
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152681 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
CVEID:CVE-2018-16843
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2019-7401
**DESCRIPTION:**NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156770 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Cloud Private | 3.2.1 CD |
| IBM Cloud Private | 3.2.2 CD |
Remediation/Fixes
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
- IBM Cloud Private 3.2.1
- IBM Cloud Private 3.2.2
For IBM Cloud Private 3.2.1, apply fix pack:
For IBM Cloud Private 3.2.2, apply fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.
- If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud private | eq | 3.2.1 | |
| ibm cloud private | eq | 3.2.2 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.097 Low
EPSS
Percentile
94.7%