Bug 1353755 (CVE-2016-5387, httpoxy) - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
Summary: CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplie...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-5387, httpoxy
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160718,repo...
Depends On: 1360529 1354577 1354578 1354579 1354580 1354581 1354582 1357597 1358118 1360356 1360357
Blocks: 1353762 1358998
TreeView+ depends on / blocked
 
Reported: 2016-07-07 22:52 UTC by Kurt Seifried
Modified: 2019-06-08 21:19 UTC (History)
43 users (show)

Fixed In Version: httpd 2.4.24, httpd 2.2.32
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Clone Of:
Environment:
Last Closed: 2016-10-13 08:59:55 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1420 normal SHIPPED_LIVE Important: httpd24-httpd security update 2016-07-18 19:30:41 UTC
Red Hat Product Errata RHSA-2016:1421 normal SHIPPED_LIVE Important: httpd security update 2016-07-18 21:29:00 UTC
Red Hat Product Errata RHSA-2016:1422 normal SHIPPED_LIVE Important: httpd security and bug fix update 2016-07-18 20:50:15 UTC
Red Hat Product Errata RHSA-2016:1624 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-17 22:01:11 UTC
Red Hat Product Errata RHSA-2016:1625 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update 2016-08-17 22:17:24 UTC
Red Hat Product Errata RHSA-2016:1635 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-18 22:20:54 UTC
Red Hat Product Errata RHSA-2016:1636 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-18 22:58:42 UTC
Red Hat Product Errata RHSA-2016:1648 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7 2016-08-22 22:07:56 UTC
Red Hat Product Errata RHSA-2016:1649 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6 2016-08-22 22:07:30 UTC
Red Hat Product Errata RHSA-2016:1650 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update 2016-08-22 22:07:23 UTC
Red Hat Product Errata RHSA-2016:1851 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.6 Service Pack 1 security update 2016-09-12 20:57:52 UTC

Description Kurt Seifried 2016-07-07 22:52:38 UTC
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The Apache HTTPD server sets various environmental variables based on headers that can then be used in CGI scripts (e.g. via mod_cgi). If passed a “Proxy” header in the request Apache will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.

Comment 1 Kurt Seifried 2016-07-07 22:52:42 UTC
Acknowledgments:

Name: Scott Geary (VendHQ)

Comment 12 Tomas Hoger 2016-07-18 14:30:20 UTC
Detailed write-up from the original reporter:

https://httpoxy.org/

Advisory from the Apache Software Foundation (which covers httpd, and also Tomcat and Traffic Server):

https://www.apache.org/security/asf-httpoxy-response.txt

ASF plans to address this issue in httpd versions 2.4.24 and 2.2.32.

Comment 14 Stefan Cornelius 2016-07-18 15:31:38 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1357597]

Comment 15 errata-xmlrpc 2016-07-18 15:33:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2016:1420 https://access.redhat.com/errata/RHSA-2016:1420

Comment 16 errata-xmlrpc 2016-07-18 16:50:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1422 https://access.redhat.com/errata/RHSA-2016:1422

Comment 17 errata-xmlrpc 2016-07-18 17:29:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2016:1421 https://access.redhat.com/errata/RHSA-2016:1421

Comment 25 Fedora Update System 2016-07-22 15:58:56 UTC
httpd-2.4.23-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2016-07-27 20:52:14 UTC
httpd-2.4.23-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 33 errata-xmlrpc 2016-08-17 18:02:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1624 https://rhn.redhat.com/errata/RHSA-2016-1624.html

Comment 35 errata-xmlrpc 2016-08-17 19:37:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services Apache HTTP 2.4.6

Via RHSA-2016:1625 https://rhn.redhat.com/errata/RHSA-2016-1625.html

Comment 36 errata-xmlrpc 2016-08-18 18:22:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635

Comment 37 errata-xmlrpc 2016-08-18 19:01:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636

Comment 38 errata-xmlrpc 2016-08-22 18:10:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html

Comment 39 errata-xmlrpc 2016-08-22 18:11:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6

Via RHSA-2016:1649 https://rhn.redhat.com/errata/RHSA-2016-1649.html

Comment 40 errata-xmlrpc 2016-08-22 18:12:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:1648 https://rhn.redhat.com/errata/RHSA-2016-1648.html

Comment 41 errata-xmlrpc 2016-09-12 16:59:08 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services on RHEL 6

Via RHSA-2016:1851 https://access.redhat.com/errata/RHSA-2016:1851


Note You need to log in before you can comment on or make changes to this bug.