ID

VAR-201112-0347


CVE

CVE-2011-4315


TITLE

nginx Heap-based buffer overflow vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2011-003324

DESCRIPTION

Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response. nginx is prone to a remote heap-based buffer-overflow vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the vulnerable application. Failed exploit attempts will result in a denial-of-service condition. Versions prior to nginx 1.0.10 are vulnerable. nginx is a lightweight web server/reverse proxy server and email (IMAP/POP3) proxy server developed by Russian programmer Igor Sysoev. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: nginx: Multiple vulnerabilities Date: March 28, 2012 Bugs: #293785, #293786, #293788, #389319, #408367 ID: 201203-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Background ========== nginx is a robust, small, and high performance HTTP and reverse proxy server. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/nginx < 1.0.14 >= 1.0.14 Description =========== Multiple vulnerabilities have been found in nginx: * The TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). * The "ngx_http_process_request_headers()" function in ngx_http_parse.c could cause a NULL pointer dereference (CVE-2009-3896). * nginx does not properly sanitize user input for the the WebDAV COPY or MOVE methods (CVE-2009-3898). * The "ngx_resolver_copy()" function in ngx_resolver.c contains a boundary error which could cause a heap-based buffer overflow (CVE-2011-4315). * nginx does not properly parse HTTP header responses which could expose sensitive information (CVE-2012-1180). Workaround ========== There is no known workaround at this time. Resolution ========== All nginx users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/nginx-1.0.14" References ========== [ 1 ] CVE-2009-3555 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3555 [ 2 ] CVE-2009-3896 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3896 [ 3 ] CVE-2009-3898 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3898 [ 4 ] CVE-2011-4315 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4315 [ 5 ] CVE-2012-1180 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1180 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-22.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 . ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: nginx DNS Response Handling Buffer Overflow Vulnerability SECUNIA ADVISORY ID: SA46798 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/46798/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=46798 RELEASE DATE: 2011-11-17 DISCUSS ADVISORY: http://secunia.com/advisories/46798/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/46798/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=46798 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in nginx, which can be exploited by malicious people to potentially compromise a vulnerable system. Successful exploitation may allow execution of arbitrary code but requires that the custom DNS resolver is enabled (disabled by default). SOLUTION: Update to version 1.0.10. PROVIDED AND/OR DISCOVERED BY: Ben Hawkes ORIGINAL ADVISORY: nginx: http://nginx.org/en/CHANGES-1.0 Ben Hawkes: http://www.openwall.com/lists/oss-security/2011/11/17/8 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . ---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. This fixes a weakness, a security issue, and multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), manipulate certain data, and potentially compromise a vulnerable system

Trust: 2.34

sources: NVD: CVE-2011-4315 // JVNDB: JVNDB-2011-003324 // BID: 50710 // VULHUB: VHN-52260 // PACKETSTORM: 111273 // PACKETSTORM: 107566 // PACKETSTORM: 107076 // PACKETSTORM: 111263

AFFECTED PRODUCTS

vendor:susemodel:webyastscope:eqversion:1.2

Trust: 1.3

vendor:susemodel:studio onsitescope:eqversion:1.2

Trust: 1.3

vendor:f5model:nginxscope:gteversion:0.6.18

Trust: 1.0

vendor:f5model:nginxscope:ltversion:1.0.10

Trust: 1.0

vendor:f5model:nginxscope:gteversion:1.1.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:16

Trust: 1.0

vendor:f5model:nginxscope:lteversion:1.1.7

Trust: 1.0

vendor:susemodel:studioscope:eqversion:1.2

Trust: 1.0

vendor:igor sysoevmodel:nginxscope:ltversion:1.0.10

Trust: 0.8

vendor:nginxmodel:nginxscope:eqversion:1.0.9

Trust: 0.6

vendor:susemodel:studio standard editionscope:eqversion:1.2

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:11.4

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:1.0.9

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:1.0.8

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.41

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.36

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.35

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.33

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.32

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.15

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.8.14

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7.66

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7.65

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7.64

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7.62

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7.61

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.7

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.6.39

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.6.38

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.6.36

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.6.32

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.6

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.5.38

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.5.37

Trust: 0.3

vendor:igormodel:sysoev nginxscope:eqversion:0.5

Trust: 0.3

vendor:gentoomodel:linuxscope: - version: -

Trust: 0.3

vendor:igormodel:sysoev nginxscope:neversion:1.0.10

Trust: 0.3

sources: BID: 50710 // JVNDB: JVNDB-2011-003324 // CNNVD: CNNVD-201111-315 // NVD: CVE-2011-4315

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4315
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-4315
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201111-315
value: MEDIUM

Trust: 0.6

VULHUB: VHN-52260
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-4315
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2011-4315
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-52260
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-52260 // JVNDB: JVNDB-2011-003324 // CNNVD: CNNVD-201111-315 // NVD: CVE-2011-4315

PROBLEMTYPE DATA

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-52260 // JVNDB: JVNDB-2011-003324 // NVD: CVE-2011-4315

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201111-315

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-201111-315

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003324

PATCH

title:CHANGES-1.0url:http://www.nginx.org/en/CHANGES-1.0

Trust: 0.8

title:4268 (nginx)url:http://trac.nginx.org/nginx/changeset/4268/nginx

Trust: 0.8

title:nginx-1.0.10url:http://123.124.177.30/web/xxk/bdxqById.tag?id=42000

Trust: 0.6

sources: JVNDB: JVNDB-2011-003324 // CNNVD: CNNVD-201111-315

EXTERNAL IDS

db:NVDid:CVE-2011-4315

Trust: 2.9

db:BIDid:50710

Trust: 2.0

db:OPENWALLid:OSS-SECURITY/2011/11/17/8

Trust: 1.8

db:SECUNIAid:47097

Trust: 1.8

db:SECUNIAid:48577

Trust: 1.8

db:OPENWALLid:OSS-SECURITY/2011/11/17/10

Trust: 1.7

db:JVNDBid:JVNDB-2011-003324

Trust: 0.8

db:CNNVDid:CNNVD-201111-315

Trust: 0.7

db:SECUNIAid:46798

Trust: 0.2

db:VULHUBid:VHN-52260

Trust: 0.1

db:PACKETSTORMid:111273

Trust: 0.1

db:PACKETSTORMid:107566

Trust: 0.1

db:PACKETSTORMid:107076

Trust: 0.1

db:PACKETSTORMid:111263

Trust: 0.1

sources: VULHUB: VHN-52260 // BID: 50710 // JVNDB: JVNDB-2011-003324 // PACKETSTORM: 111273 // PACKETSTORM: 107566 // PACKETSTORM: 107076 // PACKETSTORM: 111263 // CNNVD: CNNVD-201111-315 // NVD: CVE-2011-4315

REFERENCES

url:http://trac.nginx.org/nginx/changeset/4268/nginx

Trust: 2.0

url:http://security.gentoo.org/glsa/glsa-201203-22.xml

Trust: 1.8

url:http://secunia.com/advisories/47097

Trust: 1.7

url:http://secunia.com/advisories/48577

Trust: 1.7

url:http://www.securityfocus.com/bid/50710

Trust: 1.7

url:http://lists.fedoraproject.org/pipermail/package-announce/2011-december/070569.html

Trust: 1.7

url:http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00005.html

Trust: 1.7

url:http://openwall.com/lists/oss-security/2011/11/17/8

Trust: 1.7

url:http://openwall.com/lists/oss-security/2011/11/17/10

Trust: 1.7

url:http://www.nginx.org/en/changes-1.0

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4315

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4315

Trust: 0.8

url:http://nginx.org/

Trust: 0.3

url:http://www.nginx.org/en/changes

Trust: 0.3

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.3

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.3

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.3

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.3

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.3

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.3

url:http://secunia.com/company/jobs/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2009-3896

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3898

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2009-3555

Trust: 0.1

url:http://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2012-1180

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2011-4315

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3896

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2009-3898

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2011-4315

Trust: 0.1

url:http://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2012-1180

Trust: 0.1

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2009-3555

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47097

Trust: 0.1

url:http://secunia.com/advisories/47097/

Trust: 0.1

url:https://hermes.opensuse.org/messages/12768388

Trust: 0.1

url:http://secunia.com/advisories/47097/#comments

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=46798

Trust: 0.1

url:http://www.openwall.com/lists/oss-security/2011/11/17/8

Trust: 0.1

url:http://secunia.com/advisories/46798/

Trust: 0.1

url:http://secunia.com/advisories/46798/#comments

Trust: 0.1

url:http://nginx.org/en/changes-1.0

Trust: 0.1

url:http://secunia.com/psi_30_beta_launch

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=48577

Trust: 0.1

url:http://secunia.com/advisories/48577/

Trust: 0.1

url:http://secunia.com/advisories/48577/#comments

Trust: 0.1

url:http://www.gentoo.org/security/en/glsa/glsa-201203-22.xml

Trust: 0.1

sources: VULHUB: VHN-52260 // BID: 50710 // JVNDB: JVNDB-2011-003324 // PACKETSTORM: 111273 // PACKETSTORM: 107566 // PACKETSTORM: 107076 // PACKETSTORM: 111263 // CNNVD: CNNVD-201111-315 // NVD: CVE-2011-4315

CREDITS

Ben Hawkes

Trust: 0.3

sources: BID: 50710

SOURCES

db:VULHUBid:VHN-52260
db:BIDid:50710
db:JVNDBid:JVNDB-2011-003324
db:PACKETSTORMid:111273
db:PACKETSTORMid:107566
db:PACKETSTORMid:107076
db:PACKETSTORMid:111263
db:CNNVDid:CNNVD-201111-315
db:NVDid:CVE-2011-4315

LAST UPDATE DATE

2024-08-14T13:07:17.327000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-52260date:2021-11-10T00:00:00
db:BIDid:50710date:2015-04-13T21:13:00
db:JVNDBid:JVNDB-2011-003324date:2011-12-13T00:00:00
db:CNNVDid:CNNVD-201111-315date:2023-05-15T00:00:00
db:NVDid:CVE-2011-4315date:2021-11-10T15:54:43.753

SOURCES RELEASE DATE

db:VULHUBid:VHN-52260date:2011-12-08T00:00:00
db:BIDid:50710date:2011-11-17T00:00:00
db:JVNDBid:JVNDB-2011-003324date:2011-12-13T00:00:00
db:PACKETSTORMid:111273date:2012-03-29T02:37:12
db:PACKETSTORMid:107566date:2011-12-06T04:14:38
db:PACKETSTORMid:107076date:2011-11-17T02:29:24
db:PACKETSTORMid:111263date:2012-03-28T06:36:19
db:CNNVDid:CNNVD-201111-315date:2011-11-22T00:00:00
db:NVDid:CVE-2011-4315date:2011-12-08T20:55:01