Bug 1644508 (CVE-2018-16845) - CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module
Summary: CVE-2018-16845 nginx: Denial of service and memory disclosure via mp4 module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-16845
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20181106,repo...
Depends On: 1647256 1647255 1647257 1648219 1648220 1648221 1648223 1648362 1648363 1648364 1648365
Blocks: 1644513
TreeView+ depends on / blocked
 
Reported: 2018-10-31 04:02 UTC by Sam Fowler
Modified: 2019-06-11 11:13 UTC (History)
34 users (show)

Fixed In Version: nginx 1.15.6, nginx 1.14.1
Doc Type: If docs needed, set a value
Doc Text:
An instance of missing input sanitization was found in the mp4 module for nginx. A local attacker could create a specially crafted video file that, when streamed by the server, would cause a denial of service (server crash or hang) and, possibly, information disclosure.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:41:20 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:3652 None None None 2018-11-26 12:07:12 UTC
Red Hat Product Errata RHSA-2018:3653 None None None 2018-11-26 12:26:47 UTC
Red Hat Product Errata RHSA-2018:3680 None None None 2018-11-27 09:03:14 UTC
Red Hat Product Errata RHSA-2018:3681 None None None 2018-11-27 09:17:38 UTC

Description Sam Fowler 2018-10-31 04:02:02 UTC
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the mp4 module that allows for denial of service or worker process memory disclosure.

Comment 1 Borja Tarraso 2018-11-02 08:47:57 UTC
Acknowledgments:

Name: the Nginx project

Comment 2 Borja Tarraso 2018-11-02 15:06:50 UTC
Ansible Tower is not using ngx_http_mp4_module at all, therefore is not affected.

Comment 3 Borja Tarraso 2018-11-02 20:11:00 UTC
Already did some research and discuss with Satoe I. from CloudForms. CFME is not using in any way nginx more than the inclusion from Ansible Tower (not changed or altered configuration or used outside from Tower), and Ansible Tower is not affected, so CloudForms is also not affected; updating the task accordingly.

Comment 5 Sam Fowler 2018-11-07 00:33:58 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1647256]
Affects: fedora-all [bug 1647255]

Comment 10 Riccardo Schirone 2018-11-08 10:16:18 UTC
Mercurial commit that patches this flaw:
http://hg.nginx.org/nginx/rev/fdc19a3289c1

Comment 11 Riccardo Schirone 2018-11-08 10:21:06 UTC
ngx_http_mp4_read_atom() function in ngx_http_mp4_module.c file does not check if atom_size in a 64-bit atom in mp4 files is greater than the minimum value atom_header_size, which is 16 for 64-bit atoms. When atom_header_size is subtracted from atom_size, the result may underflow and cause various issues like infinite loops, when the size is 0, crashes or memory disclosure.

Comment 14 errata-xmlrpc 2018-11-26 12:06:57 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3652 https://access.redhat.com/errata/RHSA-2018:3652

Comment 15 errata-xmlrpc 2018-11-26 12:26:36 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2018:3653 https://access.redhat.com/errata/RHSA-2018:3653

Comment 16 errata-xmlrpc 2018-11-27 09:03:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3680 https://access.redhat.com/errata/RHSA-2018:3680

Comment 17 errata-xmlrpc 2018-11-27 09:17:24 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3681 https://access.redhat.com/errata/RHSA-2018:3681


Note You need to log in before you can comment on or make changes to this bug.