Bug 1358118

Summary: CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Jason Shepherd <jshepherd>
Component: httpdAssignee: George Zaronikas <gzaronik>
Status: CLOSED ERRATA QA Contact: fgoldefu
Severity: high Docs Contact:
Priority: high    
Version: 2.1.0CC: csutherl, jclere, jdoyle, lakagwu, lgao, mbabacek, myarboro, pslavice, rsvoboda, twalsh, weli
Target Milestone: CR01Keywords: Security, SecurityTracking
Target Release: 2.1.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-22 18:10:47 UTC Type: Support Patch
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1353755, 1360356    

Description Jason Shepherd 2016-07-20 06:18:25 UTC 
jbews-2.1.0 tracking bug for httpd: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes
in the blocked bugs.

[bug automatically created by: add-tracking-bugs]
Comment 2 Timothy Walsh 2016-07-28 04:26:24 UTC 
EAP 5.2: 
========
HTTPD wasn't shipped with EAP 5.2.  Customers had to have a subscription to EWS for httpd support.  This was changed in EAP 6.4.9 when httpd became bundled.  There is a httpd.dll that appears in the natives which is being investigated.  Customers still using EAP 5.2 are directed to use the EWS 2.1.1 release currently GA early August. 

jclere:
After some research the httpd comes from EWS per:
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/HTTP_Connectors_Load_Balancing_Guide/ch06s02.html

but we have the ./native/bin/libhttpd.dll and I think it contains the
affected code, according to makefile see
http://git.app.eng.bos.redhat.com/git/httpd.git/tree/NMAKElibhttpd?h=jbcs-httpd-2.4.18#n82

I don't think that the makefile ever changed since 2.0.x, so we are affected.

The investigation done with Michal/Coty shows:
1 - customer uses EWS for Apache httpd server and it has it own
libhttpd.dll we are fixing the issue in ews-2.1.1

2 - the libhttpd.dll in eap5.2 seems to be a packaging error and
shouldn't be used.

We need to document those facts to prevent any one using the
libhttpd.dll of eap5.2 once we have ews-2.1.1 ready.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1353762#c50
Comment 6 errata-xmlrpc 2016-08-22 18:10:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1650.html