Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. The Tomcat server contains support for CGI. If passed a “Proxy” header in the request CGIServlet will automatically populate the HTTP_PROXY environmental variable with whatever user supplied value is present.
Acknowledgments: Name: Scott Geary (VendHQ)
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1624 https://rhn.redhat.com/errata/RHSA-2016-1624.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2016:1635 https://access.redhat.com/errata/RHSA-2016:1635
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2016:1636 https://access.redhat.com/errata/RHSA-2016:1636
Created attachment 1199336 [details] tomcat-8.0.36-CVE-2016-5388.patch Hi, Applying this attached patch fixes this secutity issue from https://svn.apache.org/viewvc?view=revision&revision=1756941 Or also updating to latest 8.0.37 release. Regards, David
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1375581] Affects: epel-all [bug 1375582]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html