Bug 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]
Summary: CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplie...
Status: CLOSED ERRATA
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd
Version: 2.1.0
Hardware: All
OS: Linux
high
high
Target Milestone: CR01
: 2.1.1
Assignee: George Zaronikas
QA Contact: fgoldefu
URL:
Whiteboard:
Keywords: Security, SecurityTracking
Depends On:
Blocks: 1360356 CVE-2016-5387, httpoxy
TreeView+ depends on / blocked
 
Reported: 2016-07-20 06:18 UTC by Jason Shepherd
Modified: 2016-08-22 18:10 UTC (History)
11 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-08-22 18:10:47 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1648 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7 2016-08-22 22:07:56 UTC
Red Hat Product Errata RHSA-2016:1649 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6 2016-08-22 22:07:30 UTC
Red Hat Product Errata RHSA-2016:1650 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update 2016-08-22 22:07:23 UTC

Description Jason Shepherd 2016-07-20 06:18:25 UTC
jbews-2.1.0 tracking bug for httpd: see blocks bug list for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes
in the blocked bugs.

[bug automatically created by: add-tracking-bugs]

Comment 2 Timothy Walsh 2016-07-28 04:26:24 UTC
EAP 5.2: 
========
HTTPD wasn't shipped with EAP 5.2.  Customers had to have a subscription to EWS for httpd support.  This was changed in EAP 6.4.9 when httpd became bundled.  There is a httpd.dll that appears in the natives which is being investigated.  Customers still using EAP 5.2 are directed to use the EWS 2.1.1 release currently GA early August. 

jclere:
After some research the httpd comes from EWS per:
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/HTTP_Connectors_Load_Balancing_Guide/ch06s02.html

but we have the ./native/bin/libhttpd.dll and I think it contains the
affected code, according to makefile see
http://git.app.eng.bos.redhat.com/git/httpd.git/tree/NMAKElibhttpd?h=jbcs-httpd-2.4.18#n82

I don't think that the makefile ever changed since 2.0.x, so we are affected.

The investigation done with Michal/Coty shows:
1 - customer uses EWS for Apache httpd server and it has it own
libhttpd.dll we are fixing the issue in ews-2.1.1

2 - the libhttpd.dll in eap5.2 seems to be a packaging error and
shouldn't be used.

We need to document those facts to prevent any one using the
libhttpd.dll of eap5.2 once we have ews-2.1.1 ready.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1353762#c50

Comment 6 errata-xmlrpc 2016-08-22 18:10:47 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-1650.html


Note You need to log in before you can comment on or make changes to this bug.