SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache HTTPD Vendors:   Apache Software Foundation
(Red Hat Issues Fix) Apache HTTPD CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
SecurityTracker Alert ID:  1036333
SecurityTracker URL:  http://securitytracker.com/id/1036333
CVE Reference:   CVE-2016-5387   (Links to External Site)
Date:  Jul 18 2016
Impact:   Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability reported in CGI applications that run on Apache HTTPD. A remote user can redirect the target CGI application requests to an arbitrary web proxy in certain cases.

On systems where the Apache HTTPD server is configured to proxy HTTP requests and the target CGI application relies on the HTTP_PROXY environment variable in a trusted manner, a remote user can send (or can conduct a man-in-the-middle attack to insert or modify) a specially crafted HTTP "Proxy:" header to cause the target CGI application to proxy HTTP connections to an arbitrary port on an arbitrary server. This can be exploited to set the HTTP_PROXY variable on the target CGI application server and cause CGI application server internal requests to be proxied, in certain cases.

The vulnerability resides in the CGI applications that use the HTTP_PROXY variable.

[Editor's note: This is not an Apache HTTPD vulnerability, per se. Rather, it is a vulnerability in CGI modules or applications that may run on Apache HTTPD or other web server platforms.]

Other CGI application platforms are affected.

The original advisory is available at:

https://httpoxy.org/

Dominic Scheirlinck and Scott Geary of Vend reported this vulnerability. Other researchers have reported aspects of this vulnerability affecting various applications since at least 2001.

Impact:   A remote user that can conduct a man-in-the-middle attack can redirect the target CGI application requests to an arbitrary web proxy in certain cases.
Solution:   Red Hat has issued a fix.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2016:1420

Vendor URL:  access.redhat.com/errata/RHSA-2016:1420 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6, 6.6, 6.7, 7, 7.1, 7.2

Message History:   This archive entry is a follow-up to the message listed below.
Jul 18 2016 Apache HTTPD CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases



 Source Message Contents

Subject:  [RHSA-2016:1420-01] Important: httpd24-httpd security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: httpd24-httpd security update
Advisory ID:       RHSA-2016:1420-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2016:1420
Issue date:        2016-07-18
CVE Names:         CVE-2016-4979 CVE-2016-5387 
=====================================================================

1. Summary:

An update for httpd24-httpd is now available for Red Hat Software
Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64

3. Description:

The httpd packages provide the Apache HTTP Server, a powerful, efficient,
and extensible web server.

Security Fix(es):

* It was discovered that httpd used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations
to configure the proxy for outgoing HTTP requests. A remote attacker could
possibly use this flaw to redirect HTTP requests performed by a CGI script
to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-5387)

Note: After this update, httpd will no longer pass the value of the Proxy
request header to scripts via the HTTP_PROXY environment variable.

* A flaw was found in the way httpd performed client authentication using
X.509 client certificates. When the HTTP/2 protocol was enabled, a remote
attacker could use this flaw to access resources protected by certificate
authentication without providing a valid client certificate.
(CVE-2016-4979)

Red Hat would like to thank Scott Geary (VendHQ) for reporting
CVE-2016-5387 and Apache Software Foundation for reporting CVE-2016-4979.
Upstream acknowledges Erki Aring (Liewenthal Electronics Ltd) as the
original reporter of CVE-2016-4979.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted
automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1352476 - CVE-2016-4979 httpd: X509 client certificate authentication bypass using HTTP/2
1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6):

Source:
httpd24-httpd-2.4.18-11.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6):

Source:
httpd24-httpd-2.4.18-11.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7):

Source:
httpd24-httpd-2.4.18-11.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6):

Source:
httpd24-httpd-2.4.18-11.el6.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el6.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el6.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el6.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el6.x86_64.rpm
httpd24-mod_session-2.4.18-11.el6.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el6.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
httpd24-httpd-2.4.18-11.el7.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1):

Source:
httpd24-httpd-2.4.18-11.el7.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.2):

Source:
httpd24-httpd-2.4.18-11.el7.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
httpd24-httpd-2.4.18-11.el7.src.rpm

noarch:
httpd24-httpd-manual-2.4.18-11.el7.noarch.rpm

x86_64:
httpd24-httpd-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-debuginfo-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-devel-2.4.18-11.el7.x86_64.rpm
httpd24-httpd-tools-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ldap-2.4.18-11.el7.x86_64.rpm
httpd24-mod_proxy_html-2.4.18-11.el7.x86_64.rpm
httpd24-mod_session-2.4.18-11.el7.x86_64.rpm
httpd24-mod_ssl-2.4.18-11.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-4979
https://access.redhat.com/security/cve/CVE-2016-5387
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/security/vulnerabilities/httpoxy
https://access.redhat.com/solutions/2435501

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFXjPqfXlSAg2UNWIIRAgVvAJ9PN8fc1EVHIFP+915Pi04rE7WRPQCggjRn
IzTV/EJp4IUFHLb4E6gkn10=
=R+w5
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC