Environment

• Cb Response:6.0.2 and Higher

Symptoms

• A security scanner reports a possible vulnerability identified in the ngx_http_mp4_module running on the Cb Response server.

Cause

• This is a False Positive result.

Resolution

1. The vulnerability only affects NGINX if it is built with the ngx_http_mp4_module (the module is not built by default). Cb Response does not include the .mp4 directive in its configuration.

Additional Notes

• This vulnerability might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. [CVE-2018-16845] 

# grep -ir mp4 /etc/cb/nginx

/etc/cb/nginx/mime.types:    video/mp4                             mp4;

•  One can also ask dump the running config from nginx with the –T option. 
• First, find the path for nginx:

# pgrep nginx | xargs -I PID ls -l /proc/PID/exe
lrwxrwxrwx. 1 root root 0 Nov 19 16:32 /proc/112343/exe -> /usr/local/openresty/nginx/sbin/nginx
lrwxrwxrwx. 1 cb cb 0 Nov 19 16:32 /proc/112344/exe -> /usr/local/openresty/nginx/sbin/nginx
lrwxrwxrwx. 1 cb cb 0 Nov 19 16:32 /proc/112345/exe -> /usr/local/openresty/nginx/sbin/nginx
lrwxrwxrwx. 1 cb cb 0 Nov 19 16:32 /proc/112346/exe -> /usr/local/openresty/nginx/sbin/nginx
lrwxrwxrwx. 1 cb cb 0 Nov 19 16:32 /proc/112347/exe -> /usr/local/openresty/nginx/sbin/nginx

• Then, dump the config:

# /usr/local/openresty/nginx/sbin/nginx –T

• ​That will show the contents of every file nginx sourced.  A search (grep) for mp4 will only find it in the mime.types file.  That file is only used to define mime types, it does not mean the mp4 module loaded. 

# /usr/local/openresty/nginx/sbin/nginx -T 2>/dev/null | grep mp4 
video/mp4

• Here is how to verify a module is included in an application such as nginx. Examine config files in /etc/cb/nginx:

  [root@cbresponse-lab ~]# /usr/local/openresty/nginx/sbin/nginx -V