Security Vulnerabilities affect IBM Cloud Private - nginx
CVEID:CVE-2018-16844
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive CPU consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152680 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2018-16845
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by an error when compiled with the ngx_http_mp4_module. By persuading a victim to open a specially-crafted mp4 file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop or obtain sensitive information from worker process memory.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152681 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)
CVEID:CVE-2018-16843
**DESCRIPTION:**nginx is vulnerable to a denial of service, caused by a flaw when complied with ngx_http_v2_module. By sending a specially-crafted HTTP/2 request, a remote attacker could exploit this vulnerability to cause excessive memory consumption.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152679 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID:CVE-2019-7401
**DESCRIPTION:**NGINX Unit is vulnerable to a denial of service, caused by a heap-based buffer overflow in the router process. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the router process to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/156770 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM Cloud Private | 3.2.1 CD |
IBM Cloud Private | 3.2.2 CD |
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
For IBM Cloud Private 3.2.1, apply fix pack:
For IBM Cloud Private 3.2.2, apply fix pack:
For IBM Cloud Private 3.1.0, 3.1.1, 3.1.2, 3.2.0
None