Bug 1115015 - (CVE-2018-16845) VUL-0: CVE-2018-16845: nginx,nginx-1.0: Denial of service and memory disclosure via mp4 module
(CVE-2018-16845)
VUL-0: CVE-2018-16845: nginx,nginx-1.0: Denial of service and memory disclosu...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Artem Chernikov
Security Team bot
https://smash.suse.de/issue/218726/
CVSSv3:SUSE:CVE-2018-16845:8.2:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-07 13:17 UTC by Robert Frohl
Modified: 2021-03-19 08:05 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
abergmann: needinfo? (achernikov)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2018-11-07 13:17:51 UTC
rh#1644508

nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the mp4 module that allows for denial of service or worker process memory disclosure.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1644508
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16845
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-16845.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16845
Comment 1 Robert Frohl 2018-11-07 13:18:53 UTC
This does not affect any codestream because the ngx_http_mp4_module is not built or even shipped anywhere.
Comment 2 Christian Wittmer 2018-12-18 09:32:42 UTC
the mp4 module is built and shipped ...

admin@lap:~/OBS/home:computersalat:branches:OBS_Maintained:nginx> grep -R "\--with-http_mp4_" *
nginx.openSUSE_Backports_SLE-12/.osc/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Backports_SLE-12/.osc/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Backports_SLE-12/.osc/nginx.spec:  --with-http_mp4_module                       \
nginx.openSUSE_Backports_SLE-12/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Backports_SLE-12/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Backports_SLE-12/nginx.spec:  --with-http_mp4_module                       \
nginx.openSUSE_Leap_15.0_Update/.osc/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Leap_15.0_Update/.osc/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Leap_15.0_Update/.osc/nginx.spec:  --with-http_mp4_module                       \
nginx.openSUSE_Leap_15.0_Update/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Leap_15.0_Update/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Leap_15.0_Update/nginx.spec:  --with-http_mp4_module                       \
nginx.openSUSE_Leap_42.3_Update/.osc/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Leap_42.3_Update/.osc/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Leap_42.3_Update/.osc/nginx.spec:  --with-http_mp4_module                       \
nginx.openSUSE_Leap_42.3_Update/nginx.changes:- added mp4 module (--with-http_mp4_module)
nginx.openSUSE_Leap_42.3_Update/nginx.changes:    * Bugfix: nginx could not be built --with-http_mp4_module and without
nginx.openSUSE_Leap_42.3_Update/nginx.spec:  --with-http_mp4_module

#####################
Memory disclosure in the ngx_http_mp4_module
Severity: medium
Advisory
CVE-2018-16845
Not vulnerable: 1.15.6+, 1.14.1+
Vulnerable: 1.1.3-1.15.5, 1.0.7-1.0.15
#####################

preparing a maintenance Request ...
Comment 3 Swamp Workflow Management 2018-12-18 11:43:26 UTC
This is an autogenerated message for OBS integration:
This bug (1115015) was mentioned in
https://build.opensuse.org/request/show/659058 15.0+42.3+Backports:SLE-12 / nginx
Comment 4 Robert Frohl 2018-12-18 16:16:31 UTC
Hi Christian Wittmer,
thanks for bringing this up. Looks like I made a mistake when investigating this issue originally. I will look into this further.
Comment 5 Robert Frohl 2018-12-18 16:40:07 UTC
Hi Artem,
after re-examining the issue my original conclusion was wrong. All codestreams are affected:
- SUSE:SLE-11-SP2:Update/nginx-1.0
- SUSE:SLE-15:Update/nginx
Comment 6 Swamp Workflow Management 2019-02-05 11:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1115015) was mentioned in
https://build.opensuse.org/request/show/671823 42.3 / nginx
Comment 7 Swamp Workflow Management 2019-02-05 13:30:07 UTC
This is an autogenerated message for OBS integration:
This bug (1115015) was mentioned in
https://build.opensuse.org/request/show/671853 15.0 / nginx
Comment 8 Swamp Workflow Management 2019-02-05 19:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (1115015) was mentioned in
https://build.opensuse.org/request/show/671959 15.0+42.3+Backports:SLE-12 / nginx
Comment 10 Swamp Workflow Management 2019-02-12 17:10:25 UTC
SUSE-SU-2019:0334-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1115015,1115022,1115025
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    nginx-1.14.2-3.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    nginx-1.14.2-3.3.1
Comment 11 Swamp Workflow Management 2019-02-18 14:13:42 UTC
openSUSE-SU-2019:0195-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1115015,1115022,1115025
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845
Sources used:
openSUSE Leap 42.3 (src):    nginx-1.14.2-2.7.1
openSUSE Leap 15.0 (src):    nginx-1.14.2-lp150.2.4.1
Comment 12 Swamp Workflow Management 2019-02-18 14:15:00 UTC
openSUSE-SU-2019:0195-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1115015,1115022,1115025
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845
Sources used:
openSUSE Leap 42.3 (src):    nginx-1.14.2-2.7.1
openSUSE Leap 15.0 (src):    nginx-1.14.2-lp150.2.4.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nginx-1.14.2-16.1
Comment 15 Swamp Workflow Management 2019-09-05 19:14:10 UTC
SUSE-SU-2019:2309-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1115015,1115022,1115025,1145579,1145580,1145582
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845,CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    nginx-1.14.2-6.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    nginx-1.14.2-6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2019-09-10 22:19:08 UTC
openSUSE-SU-2019:2120-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1115015,1115022,1115025,1145579,1145580,1145582
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845,CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
openSUSE Leap 15.1 (src):    nginx-1.14.2-lp151.4.3.1