The vulnerabilities reside in the HTTP/2 and MP4 modules
November 7th, 2018, By Sergiu Gatlan
New versions of the nginx web server have been released on November 6 to patch multiple security issues affecting versions before 1.15.6, 1.14.1 and allowing potential attackers to trigger a denial-of-service (DoS) state and to access to potentially sensitive info.
According to its project website, nginx is an open source “HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server” released under the 2-clause BSD-like license.
Furthermore, “According to Netcraft, nginx served or proxied 25.28% busiest sites in October 2018. Here are some of the success stories: Dropbox, Netflix, WordPress.com, FastMail.FM” (emphasis ours.)
“Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844),” as detailed in nginx’s advisory.