Bug 1353809 (CVE-2016-5388) - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
Summary: CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied ...
Status: CLOSED ERRATA
Alias: CVE-2016-5388
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160718,repor...
Keywords: Security
Depends On: 1362210 1362211 1362212 1362213 1375581 1375582
Blocks: 1353762 1358998
TreeView+ depends on / blocked
 
Reported: 2016-07-08 04:28 UTC by Kurt Seifried
Modified: 2019-06-08 21:19 UTC (History)
36 users (show)

(edit)
It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.
Clone Of:
(edit)
Last Closed: 2016-10-13 08:59:51 UTC


Attachments (Terms of Use)
tomcat-8.0.36-CVE-2016-5388.patch (5.69 KB, patch)
2016-09-09 08:48 UTC, David GEIGER
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1624 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-17 22:01:11 UTC
Red Hat Product Errata RHSA-2016:1635 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-18 22:20:54 UTC
Red Hat Product Errata RHSA-2016:1636 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update 2016-08-18 22:58:42 UTC
Red Hat Product Errata RHSA-2016:2045 normal SHIPPED_LIVE Important: tomcat6 security and bug fix update 2016-10-11 00:38:52 UTC
Red Hat Product Errata RHSA-2016:2046 normal SHIPPED_LIVE Important: tomcat security update 2016-10-11 00:38:43 UTC

Description Kurt Seifried 2016-07-08 04:28:24 UTC
Dominic Scheirlinck of VendHQ reports:

Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. 

The Tomcat server contains support for CGI. If passed a “Proxy” header in the request CGIServlet will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.

Comment 1 Kurt Seifried 2016-07-08 04:28:26 UTC
Acknowledgments:

Name: Scott Geary (VendHQ)

Comment 11 errata-xmlrpc 2016-08-17 18:02:30 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1624 https://rhn.redhat.com/errata/RHSA-2016-1624.html

Comment 12 errata-xmlrpc 2016-08-18 18:22:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635

Comment 13 errata-xmlrpc 2016-08-18 19:01:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636

Comment 14 David GEIGER 2016-09-09 08:48 UTC
Created attachment 1199336 [details]
tomcat-8.0.36-CVE-2016-5388.patch

Hi,

Applying this attached patch fixes this secutity issue

from https://svn.apache.org/viewvc?view=revision&revision=1756941

Or also updating to latest 8.0.37 release.

Regards,
David

Comment 16 Timothy Walsh 2016-09-13 13:32:12 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1375581]
Affects: epel-all [bug 1375582]

Comment 18 errata-xmlrpc 2016-10-10 20:40:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html

Comment 19 errata-xmlrpc 2016-10-10 20:42:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html


Note You need to log in before you can comment on or make changes to this bug.