Bug 988489 - (CVE-2016-5388) VUL-0: CVE-2016-5388: tomcat: Setting HTTP_PROXY environment variable via Proxy header (httpoxy)
VUL-0: CVE-2016-5388: tomcat: Setting HTTP_PROXY environment variable via Pro...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
Blocks: httpoxy
  Show dependency treegraph
Reported: 2016-07-12 07:00 UTC by Andreas Stieger
Modified: 2018-12-14 07:48 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-07-12 22:01:27 UTC
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2016-07-15 12:50:56 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-07-29.
When done, reassign the bug to security-team@suse.de.
Comment 13 Andreas Stieger 2016-07-18 14:07:28 UTC
Public at https://httpoxy.org/

Quoting from https://www.apache.org/security/asf-httpoxy-response.txt

Advisory: Apache Software Foundation Projects and "httpoxy" CERT VU#797896

Canonical URL: https://www.apache.org/security/asf-httpoxy-response.txt

Publication: v1.0  18 July 2016


This Advisory is directed to HTTP web server administrators and users of
the software indicated below, including CGI developers.

This Advisory is not directed to a general audience, especially web browser
users. The issues raised by the "httpoxy" class of vulnerabilities affect
web servers, and are not an issue for consumers of web services to address.


The ASF (Apache Software Foundation) offers a number of software packages
which offer HTTP protocol ("Web") requests and responses, and offer the
developer or admininstrator CGI (Common Gateway Interface) routing through
these software packages.

The Apache HTTP Server (httpd and mod_fcgid), Apache Perl (mod_perl) and
Apache Tomcat projects all offer CGI handling of HTTP requests.

The Apache Traffic Server proxies HTTP requests, but offers no CGI support.

Many other ASF projects utilize the HTTP protocol, but at this time we have
not identified any which provide CGI handling, or forward the HTTP "Proxy:"
header implicated in the "httpoxy" class of issues. In the event that other
projects discover such a defect, or can contribute to mitigating this class
of issues, this Advisory will be updated.

Note especially that PHP (http://www.php.net) is not an Apache Software
Foundation project (this is a common point of confusion), and that this
Advisory does not attempt to address third-party software, scripts, 
libraries or components affected by the "httpoxy" group of issues.

See https://httpoxy.org/ (not affiliated with the ASF) for a complete 
discussion of the "httpoxy" class of issues, which are not reiterated
in this advisory.

The Apache Software Foundation wishes to thank Dominic Scheirlinck
and Scott Geary of Vend for bringing this issue to the attention of
the ASF Security Team for a well-coordinated community response.

Apache HTTP Server (httpd)
Apache Tomcat

Apache Tomcat provides a CGI Servlet that allows to execute a CGI
script. The CGI Servlet isn't active in the configuration delivered by
the ASF and activating it requires the user to modify the web.xml delivered.

To mitigate "httpoxy" issues in CGI Servlet there are 3 possible ways:

1 - Add a filter in the webapp that uses CGI scripts simple code to
reject the  requests with PROXY headers via 400 "bad request" error.
Map the filter in web.xml of the webapp. Code like the following will
allow that:
import javax.servlet.Filter;
import javax.servlet.FilterConfig;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.ServletException;

 * Simple filter
public class PoxyFilter implements Filter {

    protected FilterConfig filterConfig;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;

    public void destroy() {
        this.filterConfig = null;

    public void doFilter(ServletRequest request, ServletResponse response,
                         FilterChain chain) throws java.io.IOException,
                                                   ServletException {

        HttpServletRequest req = (HttpServletRequest)request;
        HttpServletResponse res = (HttpServletResponse)response;

        String poxy = req.getHeader("proxy");
        if (poxy == null) {
          // call next filter in the chain.
          chain.doFilter(request, response);
        } else {

2 - Add a global valve to reject requests with PROXY header, create a
PoxyValve.java with below content, compile it and put it in a jar and
put the jar in the lib installation of your tomcat. Add the line  <Valve
className="PoxyValve" /> in conf/server.xml (like after the
AccessLogValve) and restart Tomcat:


import java.io.IOException;
import javax.servlet.ServletException;

import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;

import org.apache.catalina.Context;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;

public class PoxyValve
    extends ValveBase {

    public void invoke(Request request, Response response)
        throws IOException, ServletException {

        String poxy = request.getHeader("Proxy");
        if (poxy != null) {
        getNext().invoke(request, response);

3 - Fix the CGIServlet code with the following patch and recompile
Tomcat and replace the catalina.jar by the produced one in you
installation and restart Tomcat:

--- java/org/apache/catalina/servlets/CGIServlet.java   (revision 1724080)
+++ java/org/apache/catalina/servlets/CGIServlet.java   (working copy)
@@ -1095,7 +1095,8 @@
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
                 if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
+                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header) ||
+                    "PROXY".equalsIgnoreCase(header)) {
                     //NOOP per CGI specification section 11.2
                 } else {
                     envp.put("HTTP_" + header.replace('-', '_'),

A mitigation is planned for future releases of Tomcat, tracked as
CVE-2016-5388, which will allow the user to prevent values like
HTTP_PROXY from being propagated to the CGI Servlet environment.

Apache Traffic Server (ATS)
Comment 16 Swamp Workflow Management 2016-08-30 11:10:29 UTC
SUSE-SU-2016:2188-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 986359,988489
CVE References: CVE-2016-3092,CVE-2016-5388
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    tomcat-8.0.32-8.7
Comment 17 Swamp Workflow Management 2016-09-02 19:08:44 UTC
SUSE-SU-2016:2229-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 988489
CVE References: CVE-2016-5388
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tomcat6-6.0.45-0.53.2
Comment 18 Swamp Workflow Management 2016-09-06 19:10:09 UTC
openSUSE-SU-2016:2252-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 986359,988489
CVE References: CVE-2016-3092,CVE-2016-5388
Sources used:
openSUSE Leap 42.1 (src):    tomcat-8.0.32-8.1
Comment 19 Marcus Meissner 2016-12-22 13:24:56 UTC
Comment 20 Swamp Workflow Management 2017-06-21 10:11:56 UTC
SUSE-SU-2017:1632-1: An update that solves 10 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033448,1036642,988489
CVE References: CVE-2016-0762,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    tomcat6-6.0.53-0.56.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    tomcat6-6.0.53-0.56.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    tomcat6-6.0.53-0.56.1
Comment 21 Swamp Workflow Management 2017-06-23 13:11:25 UTC
SUSE-SU-2017:1660-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033447,1033448,986359,988489
CVE References: CVE-2016-0762,CVE-2016-3092,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647,CVE-2017-5648
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    tomcat-7.0.78-7.13.4
SUSE Linux Enterprise Server 12-LTSS (src):    tomcat-7.0.78-7.13.4