nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the mp4 module that allows for denial of service or worker process memory disclosure.
Acknowledgments: Name: the Nginx project
Ansible Tower is not using ngx_http_mp4_module at all, therefore is not affected.
Already did some research and discuss with Satoe I. from CloudForms. CFME is not using in any way nginx more than the inclusion from Ansible Tower (not changed or altered configuration or used outside from Tower), and Ansible Tower is not affected, so CloudForms is also not affected; updating the task accordingly.
External Reference: http://mailman.nginx.org/pipermail/nginx-announce/2018/000221.html Upstream Patch: http://nginx.org/download/patch.2018.mp4.txt
Created nginx tracking bugs for this issue: Affects: epel-all [bug 1647256] Affects: fedora-all [bug 1647255]
Mercurial commit that patches this flaw: http://hg.nginx.org/nginx/rev/fdc19a3289c1
ngx_http_mp4_read_atom() function in ngx_http_mp4_module.c file does not check if atom_size in a 64-bit atom in mp4 files is greater than the minimum value atom_header_size, which is 16 for 64-bit atoms. When atom_header_size is subtracted from atom_size, the result may underflow and cause various issues like infinite loops, when the size is 0, crashes or memory disclosure.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3652 https://access.redhat.com/errata/RHSA-2018:3652
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2018:3653 https://access.redhat.com/errata/RHSA-2018:3653
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3680 https://access.redhat.com/errata/RHSA-2018:3680
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2018:3681 https://access.redhat.com/errata/RHSA-2018:3681