Bug 1353755 (CVE-2016-5387, httpoxy)
Summary: | CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | anemec, bbaranow, bmaxwell, cdewolf, chazlett, crrobins, csutherl, dandread, darran.lofthouse, dosoudil, fnasser, hhorak, huwang, jason.greene, jawilson, jboss-set, jclere, jdoyle, jkaluza, jorton, jshepherd, kseifried, lgao, mbabacek, mfrodl, mhatanak, mjc, mturk, myarboro, optak, pahan, pgier, psakar, pslavice, rnetuka, rsawhill, rsvoboda, sardella, security-response-team, sreber, twalsh, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | httpd 2.4.24, httpd 2.2.32 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-13 08:59:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1360529, 1354577, 1354578, 1354579, 1354580, 1354581, 1354582, 1357597, 1358118, 1360356, 1360357 | ||
Bug Blocks: | 1353762, 1358998 |
Description
Kurt Seifried
2016-07-07 22:52:38 UTC
Acknowledgments: Name: Scott Geary (VendHQ) Detailed write-up from the original reporter: https://httpoxy.org/ Advisory from the Apache Software Foundation (which covers httpd, and also Tomcat and Traffic Server): https://www.apache.org/security/asf-httpoxy-response.txt ASF plans to address this issue in httpd versions 2.4.24 and 2.2.32. External References: https://access.redhat.com/security/vulnerabilities/httpoxy https://httpoxy.org/ https://www.apache.org/security/asf-httpoxy-response.txt Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1357597] This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1422 https://access.redhat.com/errata/RHSA-2016:1422 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2016:1421 https://access.redhat.com/errata/RHSA-2016:1421 httpd-2.4.23-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. httpd-2.4.23-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1624 https://rhn.redhat.com/errata/RHSA-2016-1624.html This issue has been addressed in the following products: Red Hat JBoss Core Services Apache HTTP 2.4.6 Via RHSA-2016:1625 https://rhn.redhat.com/errata/RHSA-2016-1625.html This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636 This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.1 Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2016:1851 https://access.redhat.com/errata/RHSA-2016:1851 |