(Red Hat Issues Fix for JBoss) Apache HTTPD CGI Application "Proxy:" Header Processing Flaw Lets Remote Users Redirect the Target CGI Application Requests to an Arbitrary Web Proxy in Certain Cases
SecurityTracker Alert ID: 1036661|
SecurityTracker URL: http://securitytracker.com/id/1036661
(Links to External Site)
Date: Aug 19 2016
Disclosure of system information, Disclosure of user information, Host/resource access via network, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability reported in CGI applications that run on Apache HTTPD. A remote user can redirect the target CGI application requests to an arbitrary web proxy in certain cases. JBoss is affected.|
On systems where the Apache HTTPD server is configured to proxy HTTP requests and the target CGI application relies on the HTTP_PROXY environment variable in a trusted manner, a remote user can send (or can conduct a man-in-the-middle attack to insert or modify) a specially crafted HTTP "Proxy:" header to cause the target CGI application to proxy HTTP connections to an arbitrary port on an arbitrary server. This can be exploited to set the HTTP_PROXY variable on the target CGI application server and cause CGI application server internal requests to be proxied, in certain cases.
The vulnerability resides in the CGI applications that use the HTTP_PROXY variable.
[Editor's note: This is not an Apache HTTPD vulnerability, per se. Rather, it is a vulnerability in CGI modules or applications that may run on Apache HTTPD or other web server platforms.]
Other CGI application platforms are affected.
The original advisory is available at:
Dominic Scheirlinck and Scott Geary of Vend reported this vulnerability. Other researchers have reported aspects of this vulnerability affecting various applications since at least 2001.
A remote user that can conduct a man-in-the-middle attack can redirect the target CGI application requests to an arbitrary web proxy in certain cases.|
Red Hat has issued a fix for JBoss.|
The Red Hat advisory is available at:
Vendor URL: access.redhat.com/errata/RHSA-2016:1635 (Links to External Site)
Access control error|
|Underlying OS: Linux (Red Hat Enterprise)|
|Underlying OS Comments: 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [RHSA-2016:1635-01] Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update|
-----BEGIN PGP SIGNED MESSAGE-----
Red Hat Security Advisory
Synopsis: Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update
Advisory ID: RHSA-2016:1635-01
Product: Red Hat JBoss Web Server
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1635
Issue date: 2016-07-22
Updated on: 2016-08-18
CVE Names: CVE-2016-5387 CVE-2016-5388
Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1
and fixes two security issues and a bug with ajp processors are now
available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Web Server 3.0 for RHEL 7 - noarch, x86_64
This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a
update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat.
* It was discovered that httpd used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations
to configure the proxy for outgoing HTTP requests. A remote attacker could
possibly use this flaw to redirect HTTP requests performed by a CGI script
to an attacker-controlled proxy via a malicious HTTP request.
* It was discovered that tomcat used the value of the Proxy header from
HTTP requests to initialize the HTTP_PROXY environment variable for CGI
scripts, which in turn was incorrectly used by certain HTTP client
implementations to configure the proxy for outgoing HTTP requests. A remote
attacker could possibly use this flaw to redirect HTTP requests performed
by a CGI script to an attacker-controlled proxy via a malicious HTTP
Note: After this update, httpd will no longer pass the value of the Proxy
request header to scripts via the HTTP_PROXY environment variable.
Red Hat would like to thank Scott Geary (VendHQ) for reporting these
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
After installing the updated packages, the httpd daemon will be restarted
After installing the updated packages, follow the instructions in this
knowledgebase article to configure Tomcat:
5. Bugs fixed (https://bugzilla.redhat.com/):
1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
6. Package List:
Red Hat JBoss Web Server 3.0 for RHEL 7:
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
The Red Hat security contact is <email@example.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
RHSA-announce mailing list