CVE-2016-4450 Nginx Vulnerabilities
Severity
Medium
Vendor
nginx, Cloud Foundry
Versions Affected
- nginx before 1.10.1 and 1.11.x versions before 1.11.1
- Cloud Foundry staticfile buildpack prior to version 1.3.9
- Cloud Foundry cf-release prior to version 238
Description
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
- Pivotal OpsManager 1.6.x versions prior to 1.6.15 AND 1.7.x versions prior to 1.7.6
- Pivotal Elastic Runtime 1.6.x versions prior to 1.6.33 AND 1.7.x versions prior to 1.7.11
Mitigation
OSS users are strongly encouraged to follow one of the mitigations below:
- Upgrade to Cloud Foundry version 238 or later
- Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection
Users are strongly encouraged to follow the mitigation below:
- Upgrade Pivotal OpsManager 1.6.x versions to 1.6.15 or later OR 1.7.x versions to 1.7.6 or later
- Upgrade Pivotal Elastic Runtime 1.6.x versions to 1.6.33 or later OR 1.7.x versions to 1.7.11 or later
- Upgrade the Cloud Foundry staticfile buildpack to version 1.3.9 or later and restage all applications that use automated buildpack detection. For more information, refer to the CF CLI documentation.