製品・ソフトウェアに関する情報

JVN脆弱性詳細

nghttp2 のアイドル状態のストリーム処理における脆弱性

Title	nghttp2 のアイドル状態のストリーム処理における脆弱性
Summary	nghttp2 のアイドル状態のストリーム処理には、不特定の影響を受ける脆弱性が存在します。本脆弱性は、解放済みヒープメモリ使用のバグと呼ばれています。
Possible impacts	攻撃者により、不特定の影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 23, 2015, midnight
Registration Date	Jan. 21, 2016, 4:04 p.m.
Last Update	March 29, 2016, 3:41 p.m.

CVSS2.0 : 危険
Score	10
Vector	AV:N/AC:L/Au:N/C:C/I:C/A:C

Affected System

アップル

Apple Mac OS X 10.11 から 10.11.3

iOS 9.3 未満 (iPad 2 以降)

iOS 9.3 未満 (iPhone 4s 以降)

iOS 9.3 未満 (iPod touch 第 5 世代以降)

tvOS 9.2 未満 (Apple TV 第 4 世代)

watchOS 2.2 未満 (Apple Watch Edition)

watchOS 2.2 未満 (Apple Watch Hermes)

watchOS 2.2 未満 (Apple Watch Sport)

watchOS 2.2 未満 (Apple Watch)

nghttp2 project

nghttp2 1.6.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-8659	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8659
National Vulnerability Database (NVD)
2	CVE-2015-8659	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8659

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2016-03-21-1 iOS 9.3	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
2	APPLE-SA-2016-03-21-2 watchOS 2.2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
3	APPLE-SA-2016-03-21-3 tvOS 9.2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
4	APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
Apple Security Updates
5	HT206166	https://support.apple.com/en-us/HT206166
6	HT206167	https://support.apple.com/en-us/HT206167
7	HT206168	https://support.apple.com/en-us/HT206168
8	HT206169	https://support.apple.com/en-us/HT206169
Apple セキュリティアップデート
9	HT206166	https://support.apple.com/ja-jp/HT206166
10	HT206167	https://support.apple.com/ja-jp/HT206167
11	HT206168	https://support.apple.com/ja-jp/HT206168
12	HT206169	https://support.apple.com/ja-jp/HT206169
nghttp2
13	Nghttp2 v1.6.0	https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/

その他

No	Name	URL
JVN
1	JVNVU#97668313	http://jvn.jp/vu/JVNVU97668313/index.html

Change Log

No	Changed Details	Date of change
0	[2016年01月21日] 掲載 [2016年03月29日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (HT206166) を追加ベンダ情報：アップル (HT206167) を追加ベンダ情報：アップル (HT206168) を追加ベンダ情報：アップル (HT206169) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-1 iOS 9.3) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-5 OS X El Capitan 10.11.4 and Security Update 2016-002) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-2 watchOS 2.2) を追加ベンダ情報：アップル (APPLE-SA-2016-03-21-3 tvOS 9.2) を追加参考情報：JVN (JVNVU#97668313) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-8659

Summary	The idle stream handling in nghttp2 before 1.6.0 allows attackers to have unspecified impact via unknown vectors, aka a heap-use-after-free bug.
Publication Date	Jan. 13, 2016, 4:59 a.m.
Registration Date	Jan. 26, 2021, 2:58 p.m.
Last Update	Nov. 21, 2024, 11:38 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x::::::::			10.11.3

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:apple:watchos::::::::		2.1
cpe:2.3:o:apple:iphone_os::::::::		9.2.1
cpe:2.3:a:nghttp2:nghttp2::::::::		1.5.0
cpe:2.3:o:apple:tvos::::::::		9.1

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
2	http://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
3	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
4	http://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
5	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
6	http://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
7	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
8	http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
9	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175085.html
10	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175085.html
11	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175423.html
12	http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175423.html
13	http://www.openwall.com/lists/oss-security/2015/12/23/10
14	http://www.openwall.com/lists/oss-security/2015/12/23/10
15	http://www.openwall.com/lists/oss-security/2015/12/23/6
16	http://www.openwall.com/lists/oss-security/2015/12/23/6
17	http://www.securitytracker.com/id/1035353
18	http://www.securitytracker.com/id/1035353
19	https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/	Patch Vendor Advisory
20	https://nghttp2.org/blog/2015/12/23/nghttp2-v1-6-0/	Patch Vendor Advisory
21	https://security.gentoo.org/glsa/201612-06
22	https://security.gentoo.org/glsa/201612-06
23	https://support.apple.com/HT206166	Vendor Advisory
24	https://support.apple.com/HT206166	Vendor Advisory
25	https://support.apple.com/HT206167	Vendor Advisory
26	https://support.apple.com/HT206167	Vendor Advisory
27	https://support.apple.com/HT206168	Vendor Advisory
28	https://support.apple.com/HT206168	Vendor Advisory
29	https://support.apple.com/HT206169	Vendor Advisory
30	https://support.apple.com/HT206169	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html