CVE-2016-6309 – Patching NGINX for OpenSSL Security Issues

Security is of the utmost importance to us here at Kinsta. That is one reason why we recently launched two-factor authentication to secure your Kinsta accounts. …

The post CVE-2016-6309 – Patching NGINX for OpenSSL Security Issues appeared first on Kinsta Managed WordPress Hosting.

Spread the love

Security is of the utmost importance to us here at Kinsta. That is one reason why we recently launched two-factor authentication to secure your Kinsta accounts. Over the past week there have been some serious OpenSSL security vulnerabilities and we want to let you know that we have been patching our NGINX servers and load balancers, upgrading OpenSSL to the latest version, as soon as it becomes available to us.


OpenSSL is an open source project and cryptography library that provides a toolkit for TLS and SSL protocols. We use the OpenSSL library, which is required by NGINX SSL modules to support the HTTPS protocol. NGINX is also open source and is what we use to power our web servers and your WordPress sites.

OpenSSL Security Vulnerabilities

We are constantly monitoring security updates and have notifications in place to let us know when they arise. Last week the OpenSSL project announced that over a dozen vulnerabilities were patched.

CVE-2016-6304 [High Severity] 22nd September 2016

The most important was CVE-2016-6304, classified as high severity. We patched out NGINX servers and load balancers the same day and upgraded to the latest version of OpenSSL, 1.1.0a.

OCSP Status Request extension unbounded memory growth (

A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the “no-ocsp” build time option are not affected.

The vulnerability was reported by Shi Lei, a researcher at a Chinese security firm, Qihoo 360.

CVE-2016-6309 [Critical Severity] 26th September 2016

Earlier this morning, another critical severity warning was announced by the OpenSSL team which affects the latest 1.1.0a release which we had just recently upgraded to last week. So again we have patched NGINX servers to latest OpenSSL version, 1.1.0b, which addresses the security issue below.

Fix Use After Free for large message sizes (

The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved. Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location. This is likely to result in a crash, however it could potentially lead to execution of arbitrary code.

You can rest assured that we are always on top of these OpenSSL security vulnerabilities and patch as soon as they come out.

Facebook Comments

More Stuff

How To Remove The WordPress Admin User Account If you’ve been on the internet in the past week or so, you’ve probably heard about the spate of “brute force” attacks that have been made on WordPres...
60 Beautiful “Day of the Dead” Inspired Designs & Artworks The traditions and symbols of the Mexican holiday Day of the Dead (Día de Muertos) are a popular theme for artists and illustrators. Skeletons, skulls...
How to Create a PayPal Donate Button for Your WordPress Site From non-profit organizations to churches, and political campaigns to bloggers who need early support, several situations warrant asking for donations...
6 Facts You Didn’t Know About Magento Magento was developed in 2007, released in 2008, and is currently the most popular Ecommerce platform in the world—there’s three bonus Magento facts f...
Spread the love

Posted by News Monkey