nginx security advisory (CVE-2018-16843, CVE-2018-16844)

Maxim Dounin mdounin at
Tue Nov 6 15:28:08 UTC 2018


Two security issues were identified in nginx HTTP/2 implementation,
which might cause excessive memory consumption (CVE-2018-16843)
and CPU usage (CVE-2018-16844).

The issues affect nginx compiled with the ngx_http_v2_module (not
compiled by default) if the "http2" option of the "listen" directive is
used in a configuration file.

The issues affect nginx 1.9.5 - 1.15.5.
The issues are fixed in nginx 1.15.6, 1.14.1.

Thanks to Gal Goldshtein from F5 Networks for initial report of the CPU
usage issue.

Maxim Dounin

More information about the nginx mailing list