Bugzilla – Bug 988489
VUL-0: CVE-2016-5388: tomcat: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
Last modified: 2018-12-14 07:48:16 UTC
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-07-29. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62898
Public at https://httpoxy.org/ Quoting from https://www.apache.org/security/asf-httpoxy-response.txt Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896 Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt Publication: v1.0 18 July 2016 Audience -------- This Advisory is directed to HTTP web server administrators and users of the software indicated below, including CGI developers. This Advisory is not directed to a general audience, especially web browser users. The issues raised by the "httpoxy" class of vulnerabilities affect web servers, and are not an issue for consumers of web services to address. Background ---------- The ASF (Apache Software Foundation) offers a number of software packages which offer HTTP protocol ("Web") requests and responses, and offer the developer or admininstrator CGI (Common Gateway Interface) routing through these software packages. The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and Apache Tomcat projects all offer CGI handling of HTTP requests. The Apache Traffic Server proxies HTTP requests, but offers no CGI support. Many other ASF projects utilize the HTTP protocol, but at this time we have not identified any which provide CGI handling, or forward the HTTP "Proxy:" header implicated in the "httpoxy" class of issues. In the event that other projects discover such a defect, or can contribute to mitigating this class of issues, this Advisory will be updated. Note especially that PHP (http://www.php.net) is not an Apache Software Foundation project (this is a common point of confusion), and that this Advisory does not attempt to address third-party software, scripts, libraries or components affected by the "httpoxy" group of issues. See https://httpoxy.org/ (not affiliated with the ASF) for a complete discussion of the "httpoxy" class of issues, which are not reiterated in this advisory. The Apache Software Foundation wishes to thank Dominic Scheirlinck and Scott Geary of Vend for bringing this issue to the attention of the ASF Security Team for a well-coordinated community response. Apache HTTP Server (httpd) -------------------------- [...] Apache Tomcat ------------- Apache Tomcat provides a CGI Servlet that allows to execute a CGI script. The CGI Servlet isn't active in the configuration delivered by the ASF and activating it requires the user to modify the web.xml delivered. To mitigate "httpoxy" issues in CGI Servlet there are 3 possible ways: 1 - Add a filter in the webapp that uses CGI scripts simple code to reject the requests with PROXY headers via 400 "bad request" error. Map the filter in web.xml of the webapp. Code like the following will allow that: +++ import javax.servlet.Filter; import javax.servlet.FilterConfig; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.ServletException; /* * Simple filter */ public class PoxyFilter implements Filter { protected FilterConfig filterConfig; public void init(FilterConfig filterConfig) throws ServletException { this.filterConfig = filterConfig; } public void destroy() { this.filterConfig = null; } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws java.io.IOException, ServletException { HttpServletRequest req = (HttpServletRequest)request; HttpServletResponse res = (HttpServletResponse)response; String poxy = req.getHeader("proxy"); if (poxy == null) { // call next filter in the chain. chain.doFilter(request, response); } else { res.sendError(400); } } } +++ 2 - Add a global valve to reject requests with PROXY header, create a PoxyValve.java with below content, compile it and put it in a jar and put the jar in the lib installation of your tomcat. Add the line <Valve className="PoxyValve" /> in conf/server.xml (like after the AccessLogValve) and restart Tomcat: +++ import java.io.IOException; import javax.servlet.ServletException; import org.apache.catalina.valves.ValveBase; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.Context; import org.apache.catalina.Realm; import org.apache.catalina.Session; public class PoxyValve extends ValveBase { public void invoke(Request request, Response response) throws IOException, ServletException { String poxy = request.getHeader("Proxy"); if (poxy != null) { response.sendError(400); return; } getNext().invoke(request, response); } } +++ 3 - Fix the CGIServlet code with the following patch and recompile Tomcat and replace the catalina.jar by the produced one in you installation and restart Tomcat: +++ --- java/org/apache/catalina/servlets/CGIServlet.java (revision 1724080) +++ java/org/apache/catalina/servlets/CGIServlet.java (working copy) @@ -1095,7 +1095,8 @@ //REMIND: change character set //REMIND: I forgot what the previous REMIND means if ("AUTHORIZATION".equalsIgnoreCase(header) || - "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) { + "PROXY_AUTHORIZATION".equalsIgnoreCase(header) || + "PROXY".equalsIgnoreCase(header)) { //NOOP per CGI specification section 11.2 } else { envp.put("HTTP_" + header.replace('-', '_'), +++ A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388, which will allow the user to prevent values like HTTP_PROXY from being propagated to the CGI Servlet environment. Apache Traffic Server (ATS) --------------------------- [..]
SUSE-SU-2016:2188-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 986359,988489 CVE References: CVE-2016-3092,CVE-2016-5388 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): tomcat-8.0.32-8.7
SUSE-SU-2016:2229-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 988489 CVE References: CVE-2016-5388 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): tomcat6-6.0.45-0.53.2
openSUSE-SU-2016:2252-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 986359,988489 CVE References: CVE-2016-3092,CVE-2016-5388 Sources used: openSUSE Leap 42.1 (src): tomcat-8.0.32-8.1
released
SUSE-SU-2017:1632-1: An update that solves 10 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033448,1036642,988489 CVE References: CVE-2016-0762,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): tomcat6-6.0.53-0.56.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): tomcat6-6.0.53-0.56.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): tomcat6-6.0.53-0.56.1
SUSE-SU-2017:1660-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033447,1033448,986359,988489 CVE References: CVE-2016-0762,CVE-2016-3092,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647,CVE-2017-5648 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): tomcat-7.0.78-7.13.4 SUSE Linux Enterprise Server 12-LTSS (src): tomcat-7.0.78-7.13.4