製品・ソフトウェアに関する情報

JVN脆弱性詳細

nginx のリゾルバにおけるサービス運用妨害 (DoS) の脆弱性

Title	nginx のリゾルバにおけるサービス運用妨害 (DoS) の脆弱性
Summary	nginx のリゾルバには、サービス運用妨害 (不正なポインタデリファレンスおよびワーカープロセスクラッシュ) 状態にされる脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-476: NULL Pointer Dereference (NULL ポインタデリファレンス) と識別されています。 http://cwe.mitre.org/data/definitions/476.html
Possible impacts	第三者により、巧妙に細工された UDP DNS レスポンスを介して、サービス運用妨害 (不正なポインタデリファレンスおよびワーカープロセスクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 26, 2016, midnight
Registration Date	March 1, 2016, 11:32 a.m.
Last Update	March 1, 2016, 11:32 a.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

Debian

Debian GNU/Linux 1.2

Debian GNU/Linux 8.0

Debian GNU/Linux 1.2

Debian GNU/Linux 8.0

Novell

Leap 42.1

Canonical

Ubuntu 14.04 LTS

Ubuntu 15.10

Ubuntu 14.04 LTS

Ubuntu 15.10

Igor Sysoev

nginx 1.8.1 未満

nginx 1.9.10 未満の 1.9.x

nginx 1.8.1 未満

nginx 1.9.10 未満の 1.9.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-0742	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742
2	CVE-2016-0742	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0742
National Vulnerability Database (NVD)
3	CVE-2016-0742	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0742
4	CVE-2016-0742	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0742

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther
2	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-3473	http://www.debian.org/security/2016/dsa-3473
2	DSA-3473	http://www.debian.org/security/2016/dsa-3473
opensuse-updates
3	openSUSE-SU-2016:0371	http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html
4	openSUSE-SU-2016:0371	http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html
Red Hat Bugzilla
5	Bug 1302587	https://bugzilla.redhat.com/show_bug.cgi?id=1302587
6	Bug 1302587	https://bugzilla.redhat.com/show_bug.cgi?id=1302587
Ubuntu Security Notice
7	USN-2892-1	http://www.ubuntu.com/usn/USN-2892-1/
8	USN-2892-1	http://www.ubuntu.com/usn/USN-2892-1/
[nginx-announce] nginx security advisory
9	nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)	http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html
10	nginx security advisory (CVE-2016-0742, CVE-2016-0746, CVE-2016-0747)	http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html

Change Log

No	Changed Details	Date of change
0	[2016年03月01日] 掲載	Feb. 17, 2018, 10:37 a.m.
0	[2016年03月01日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-0742

Summary	The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
Publication Date	Feb. 16, 2016, 4:59 a.m.
Registration Date	Jan. 26, 2021, 2:04 p.m.
Last Update	Nov. 21, 2024, 11:42 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:f5:nginx::::::::	0.6.18			1.8.1
cpe:2.3:a:f5:nginx::::::::	1.9.0			1.9.10

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:15.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.1:::::::*

Configuration5		or higher	or less	more than	less than
cpe:2.3:a:apple:xcode::::::::					13.0

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:redhat:software_collections:1.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-updates/2016-02/msg00042.html	Mailing List Third Party Advisory
3	http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html	Vendor Advisory
4	http://mailman.nginx.org/pipermail/nginx/2016-January/049700.html	Vendor Advisory
5	http://seclists.org/fulldisclosure/2021/Sep/36	Mailing List Third Party Advisory
6	http://seclists.org/fulldisclosure/2021/Sep/36	Mailing List Third Party Advisory
7	http://www.debian.org/security/2016/dsa-3473	Third Party Advisory
8	http://www.debian.org/security/2016/dsa-3473	Third Party Advisory
9	http://www.securitytracker.com/id/1034869	Third Party Advisory VDB Entry
10	http://www.securitytracker.com/id/1034869	Third Party Advisory VDB Entry
11	http://www.ubuntu.com/usn/USN-2892-1	Third Party Advisory
12	http://www.ubuntu.com/usn/USN-2892-1	Third Party Advisory
13	https://access.redhat.com/errata/RHSA-2016:1425	Third Party Advisory
14	https://access.redhat.com/errata/RHSA-2016:1425	Third Party Advisory
15	https://bto.bluecoat.com/security-advisory/sa115	Third Party Advisory
16	https://bto.bluecoat.com/security-advisory/sa115	Third Party Advisory
17	https://bugzilla.redhat.com/show_bug.cgi?id=1302587	Issue Tracking Patch Third Party Advisory
18	https://bugzilla.redhat.com/show_bug.cgi?id=1302587	Issue Tracking Patch Third Party Advisory
19	https://security.gentoo.org/glsa/201606-06	Third Party Advisory
20	https://security.gentoo.org/glsa/201606-06	Third Party Advisory
21	https://support.apple.com/kb/HT212818	Third Party Advisory
22	https://support.apple.com/kb/HT212818	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-476	NULL ポインタデリファレンス	https://cwe.mitre.org/data/definitions/476.html