JPCERT-AT-2016-0031
JPCERT/CC
2016-07-19
JPCERTCC Alert 2016-07-19
Vulnerabilities (CVE-2016-5385, etc.) in Web Servers Using CGI
https://www.jpcert.or.jp/english/at/2016/at160031.html
I. Overview
Vulnerabilities (CVE-2016-5385, etc.) in web servers that use CGI have
been reported. When a request from a remote device with a Proxy header
is received, an unintended value may be assigned to the server environment
variable, HTTP_PROXY. When these vulnerabilities are exploited, man-in-the-middle
attacks may be performed or a connection to an unauthorized host may
be established.
Software with the following conditions is affected by these vulnerabilities.
- Web servers or web applications that establish outbound communications
referencing the HTTP_PROXY environment variable.
For more information on the vulnerabilities and its impact, please
refer to the following information.
Vulnerability Note VU#797896
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables
https://www.kb.cert.org/vuls/id/797896
II. Affected Software
The following software is affected by these vulnerabilities;
- PHP (CVE-2016-5385)
- GO (CVE-2016-5386)
- Apache HTTP Server (CVE-2016-5387)
- Apache Tomcat (CVE-2016-5388)
- HHVM (CVE-2016-1000109)
- Python (CVE-2016-1000110)
Other types of software that use CGI may also be affected. Software
distributors and developers have disclosed affected products and its
versions. Please refer to the information provided by the developers.
III. Solution and Workarounds
Please consider applying the following workarounds to mitigate the
impacts of the vulnerabilities.
- Disable the Proxy header in the request
- In CGI, avoid using HTTP_PROXY environment variable
- Restrict outbound HTTP traffic from the web server to the minimum
using security devices such as firewall
For more information on the vulnerabilities and its impact, please
refer to the information provided by the reporter of the vulnerabilities
and developers.
A CGI application vulnerability for PHP, Go, Python and others
https://httpoxy.org/
Software distributors and developers may release updated versions of
software that address the vulnerabilities. It is recommended to periodically
check information provided by the distributors and developers.
IV. References
Vulnerability Note VU#797896
CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables
https://www.kb.cert.org/vuls/id/797896
httpoxy.org
A CGI application vulnerability for PHP, Go, Python and others
https://httpoxy.org/
SIOS Technology
Vulnerabilities where CGI language may be used to rewrite HTTP_PROXY (Japanese)
https://oss.sios.com/security/general-security-20160719
Red Hat, Inc.
HTTPoxy - CGI "HTTP_PROXY" variable name clash
https://access.redhat.com/security/vulnerabilities/httpoxy
The Apache Software Foundation
Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896
https://www.apache.org/security/asf-httpoxy-response.txt
NGINX
Mitigating the HTTPoxy Vulnerability with NGINX
https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL info@jpcert.or.jp
TEL +81-3-3518-4600 FAX +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top