Nginx security issues cause over 14 million servers to be vulnerable to DoS attacks

by ·

nginx has been experiencing security problems in recent days, which may cause more than 14 million servers to be vulnerable to DoS attacks. The vulnerabilities that lead to security issues exist in the HTTP/2 and MP4 modules.

The nginx Web server released a new version on November 6 to fix multiple security issues affecting versions before 1.15.6 and 1.14.1. The security issue found has one such situation – allowing potential attackers to trigger Denial of service (DoS) status and access to sensitive information.

Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844),, as detailed in nginx’s security recommendations.

Also, “The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.”

To take advantage of the above two issues, an attacker can send a specially crafted HTTP/2 request, which will result in excessive CPU usage and memory usage, eventually triggering the DoS state.

All nginx servers running unpatched are vulnerable to DoS attacks.

The third security issue (CVE-2018-16845) affects the MP4 module, causing an attacker to create an infinite loop, crash, or memory leak in the worker process with the help of a maliciously crafted MP4 file.

The last security issue only affects servers running the nginx version built with ngx_http_mp4_module and having the mp4 option enabled in the configuration file.

In general, the HTTP/2 vulnerability affects all nginx versions between 1.9.5 and 1.15.5, and MP4 module security issues affect servers running nginx 1.0.7, 1.1.3 and higher.

To alleviate these two security issues, the server administrator must upgrade their nginx to the 1.14.1 stable or 1.15.6 mainline version.

Currently, the Shodan search shows that more than 14 million servers run a version of nginx that does not contain fixes (more specifically 14,036,690), and only 6992 servers have security patches.

Via: Softpedia

Tags: