CVE-2014-3616

Published: 17 September 2014

nginx 0.5.6 through 1.7.4, when using the same shared ssl_session_cache or ssl_session_ticket_key for multiple servers, can reuse a cached SSL session for an unrelated context, which allows remote attackers with certain privileges to conduct "virtual host confusion" attacks.

Priority

Status

Package	Release	Status
nginx Launchpad, Ubuntu, Debian	lucid	Ignored (end of life)
	precise	Released (1.1.19-1ubuntu0.7)
	trusty	Released (1.4.6-1ubuntu3.1)
	upstream	Released (1.7.5,1.6.2)
	utopic	Not vulnerable (1.6.2-1ubuntu1)
	Patches: upstream: http://trac.nginx.org/nginx/changeset/1ee1db30c9b96e9e43e85ab0bfba42140af24966/nginx

References

http://bh.ht.vc/vhost_confusion.pdf
https://ubuntu.com/security/notices/USN-2351-1
https://www.cve.org/CVERecord?id=CVE-2014-3616
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1370478
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761940

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›