Bugzilla – Bug 988488
VUL-0: CVE-2016-5387: apache2: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Last modified: 2020-06-09 11:39:01 UTC
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-07-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62896
Public at https://httpoxy.org/ Quoting from https://www.apache.org/security/asf-httpoxy-response.txt Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896 Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt Publication: v1.0 18 July 2016 Audience -------- This Advisory is directed to HTTP web server administrators and users of the software indicated below, including CGI developers. This Advisory is not directed to a general audience, especially web browser users. The issues raised by the "httpoxy" class of vulnerabilities affect web servers, and are not an issue for consumers of web services to address. Background ---------- The ASF (Apache Software Foundation) offers a number of software packages which offer HTTP protocol ("Web") requests and responses, and offer the developer or admininstrator CGI (Common Gateway Interface) routing through these software packages. The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and Apache Tomcat projects all offer CGI handling of HTTP requests. The Apache Traffic Server proxies HTTP requests, but offers no CGI support. Many other ASF projects utilize the HTTP protocol, but at this time we have not identified any which provide CGI handling, or forward the HTTP "Proxy:" header implicated in the "httpoxy" class of issues. In the event that other projects discover such a defect, or can contribute to mitigating this class of issues, this Advisory will be updated. Note especially that PHP (http://www.php.net) is not an Apache Software Foundation project (this is a common point of confusion), and that this Advisory does not attempt to address third-party software, scripts, libraries or components affected by the "httpoxy" group of issues. See https://httpoxy.org/ (not affiliated with the ASF) for a complete discussion of the "httpoxy" class of issues, which are not reiterated in this advisory. The Apache Software Foundation wishes to thank Dominic Scheirlinck and Scott Geary of Vend for bringing this issue to the attention of the ASF Security Team for a well-coordinated community response. Apache HTTP Server (httpd) -------------------------- Apache HTTP Server may be configured to proxy HTTP requests as a forward or reverse (gateway) proxy server, can proxy requests to a FastCGI service using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi or mod_cgid or the related mod_isapi service. The project's mod_fcgid subproject (available as a separate add-in module) directly manages CGI scripts using the FastCGI protocol. It may also be configured to directly host a number of external modules which run CGI-style applications in-process. The server itself does not modify the CGI environment in this case, however, these external modules may perform such modifications of their environment variables in-process. Such examples include mod_php, mod_perl and mod_wsgi. To mitigate "httpoxy" issues across all of the above mechanisms, the most direct solution is to drop any "Proxy:" header arriving from an upstream proxy server or the origin user-agent. this will mitigate the issue for any vulnerable back-end server or CGI across all traffic through this server. The two lines below enabled in the httpd.conf file will remove the "Proxy:" header from all incoming requests, before further processing; LoadModule headers_module {path-to}/mod_headers.so RequestHeader unset Proxy early (Users who have mod_headers compiled-in to the httpd binary must omit the LoadModule directive above, others must adjust the {path-to} to point to the mod_headers.so file.) If the administrator wishes to preserve the value of the "Proxy:" header for most traffic, and only eliminate it from the CGI environment variable HTTP_PROXY, a second mitigation is offered. This patch will address this behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid, along with all other consumers of httpd's built-in environment handling. The bundled httpd modules all rely on ap_add_common_vars() to set up the target CGI environment. The project will include the recommended patch below in all subsequent releases of httpd, including 2.4.24 and 2.2.32. Users who build httpd 2.2.x or 2.4.x from source may apply the patch below, recompile and re-install httpd to obtain this mitigation. This migitation has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>. ======= Patch to httpd sources 2.4.x and 2.2.x ======= --- server/util_script.c (revision 1752426) +++ server/util_script.c (working copy) @@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r else if (!strcasecmp(hdrs[i].key, "Content-length")) { apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); } + /* HTTP_PROXY collides with a popular envvar used to configure + * proxies, don't let clients set/override it. But, if you must... + */ +#ifndef SECURITY_HOLE_PASS_PROXY + else if (!strcasecmp(hdrs[i].key, "Proxy")) { + ; + } +#endif /* * You really don't want to disable this check, since it leaves you * wide open to CGIs stealing passwords and people viewing them ======= End Patch ======= Apache HTTP Server (mod_fcgid) ------------------------------ Either mitigation listed above for Apache HTTP Server (httpd) guidance above also mitigates all risks for CGI's which are invoked by mod_fcgid. Therefore any CVE with respect to mod_fcgid is revoked as duplicate of CVE-2016-5387. Apache Perl Module (mod_perl) ----------------------------- Either mitigation listed for Apache HTTP Server (httpd) guidance above also mitigates "httpoxy" risks for requests which are served by mod_perl. Note also that the Perl LWP::HTTP package has long avoided recognizing the HTTP_PROXY environment variable, when serving CGI requests. Apache Tomcat ------------- [...] Apache Traffic Server (ATS) --------------------------- [...]
*** Bug 988492 has been marked as a duplicate of this bug. ***
SUSE-SU-2016:1818-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988488 CVE References: CVE-2016-5387 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): apache2-2.4.16-7.1 SUSE Linux Enterprise Server 12-SP1 (src): apache2-2.4.16-7.1
SUSE-SU-2016:1819-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988488 CVE References: CVE-2016-5387 Sources used: SUSE Studio Onsite 1.3 (src): apache2-2.2.12-64.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): apache2-2.2.12-64.1 SUSE Linux Enterprise Server 11-SP4 (src): apache2-2.2.12-64.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-2.2.12-64.1
This is an autogenerated message for OBS integration: This bug (988488) was mentioned in https://build.opensuse.org/request/show/411892 13.2 / apache2
openSUSE-SU-2016:1824-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988488 CVE References: CVE-2016-5387 Sources used: openSUSE Leap 42.1 (src): apache2-2.4.16-12.1 openSUSE 13.2 (src): apache2-2.4.10-31.1
*** Bug 989684 has been marked as a duplicate of this bug. ***
SUSE-SU-2016:2090-1: An update that solves one vulnerability and has three fixes is now available. Category: security (moderate) Bug References: 951692,970391,973381,988488 CVE References: CVE-2016-5387 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): apache2-2.4.10-14.17.1 SUSE Linux Enterprise Server 12-LTSS (src): apache2-2.4.10-14.17.1
openSUSE-SU-2016:2115-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 988488 CVE References: CVE-2016-1000104,CVE-2016-5387 Sources used: openSUSE Leap 42.1 (src): apache2-mod_fcgid-2.3.9-7.1 openSUSE 13.2 (src): apache2-mod_fcgid-2.3.9-2.5.1
released