Bug 989523 – VUL-1: CVE-2016-1000110: python,python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header

Bug 989523 - (CVE-2016-1000110) VUL-1: CVE-2016-1000110: python,python3: Python CGIHandler: sets environmental variable based on user supplied Proxy request header

(CVE-2016-1000110)
Summary:	VUL-1: CVE-2016-1000110: python,python3: Python CGIHandler: sets environmenta...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assigned To:	Jan Matejek
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/171044/
Whiteboard:	CVSSv2:SUSE:CVE-2016-1000110:5.0:(AV:...
Keywords:

Depends on:
Blocks:	httpoxy
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-07-19 11:02 UTC by Andreas Stieger
Modified:	2022-02-13 11:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2016-07-19 11:02:56 UTC

public at https://httpoxy.org/

 A CGI application vulnerability
for PHP, Go, Python and others

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

    RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
    HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.

httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.
What can happen if my web application is vulnerable?

If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:

    Proxy the outgoing HTTP requests made by the web application
    Direct the server to open outgoing connections to an address and port of their choosing
    Tie up server resources by forcing the vulnerable software to use a malicious proxy

httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1357334
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000110
http://seclists.org/oss-sec/2016/q3/95

Comment 1 Andreas Stieger 2016-07-19 11:04:52 UTC

POC at https://github.com/httpoxy/python-httpoxy-poc

wsgi not vulnerable
===================

Because the user-supplied values are kept in a separate wsgi 'environ' map, wsgi is not vulnerable. os.environ['HTTP_PROXY'] remains unchanged when a Proxy: foo header is sent.


cgi vulnerable
==============

When using the CGIHandler in wsgiref.handlers, and deploying your application with a standard CGI server, os.environ['HTTP_PROXY'] is a user-controlled value, and should not be trusted.

requests trusts this value, and configures it as the proxy. The internal request to example.com ends up proxied at an address of the attacker's choosing.

Comment 2 Andreas Stieger 2016-07-19 11:05:57 UTC

Uncommon / non-standard deployment. -> VUL-1 for a future update.

Comment 3 Jan Matejek 2016-07-21 15:22:20 UTC

given that the latest security update didn't go through, i'm going to roll this one into it as well

upstream issue http://bugs.python.org/issue27568

all pythons in all products are affected

Comment 5 Swamp Workflow Management 2016-08-19 12:25:26 UTC

SUSE-SU-2016:2106-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python-base-2.7.9-24.2
SUSE Linux Enterprise Server 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2, python-doc-2.7.9-24.4
SUSE Linux Enterprise Desktop 12-SP1 (src):    python-2.7.9-24.1, python-base-2.7.9-24.2

Comment 6 Swamp Workflow Management 2016-08-19 17:12:55 UTC

openSUSE-SU-2016:2120-1: An update that solves 5 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 935856,951166,983582,984751,985177,985348,989523
CVE References: CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
openSUSE Leap 42.1 (src):    python3-3.4.5-8.1, python3-base-3.4.5-8.1, python3-doc-3.4.5-8.1
openSUSE 13.2 (src):    python3-3.4.5-4.4.1, python3-base-3.4.5-4.4.1, python3-doc-3.4.5-4.4.1

Comment 7 Swamp Workflow Management 2016-09-09 10:10:43 UTC

SUSE-SU-2016:2270-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 984751,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Server 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1, python-doc-2.6-8.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    python-2.6.9-39.1, python-base-2.6.9-39.1

Comment 8 Andreas Stieger 2016-10-26 13:27:05 UTC

releasing SLE 12 python3, showing all done.

Comment 9 Swamp Workflow Management 2016-10-26 16:26:52 UTC

SUSE-SU-2016:2653-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    python3-base-3.4.5-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    python3-3.4.5-17.1, python3-base-3.4.5-17.1

Comment 10 Swamp Workflow Management 2016-11-18 15:08:56 UTC

SUSE-SU-2016:2859-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 951166,983582,984751,985177,985348,989523,991069
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    python3-base-3.4.5-19.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Server 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    python3-3.4.5-19.1, python3-base-3.4.5-19.1

Comment 12 Swamp Workflow Management 2019-02-01 20:10:06 UTC

SUSE-SU-2019:0223-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1122191,984751,985177,985348,989523
CVE References: CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2019-5010
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    python-2.7.9-16.7.1, python-base-2.7.9-16.7.2, python-doc-2.7.9-16.7.2

Comment 20 Swamp Workflow Management 2020-01-16 14:18:45 UTC

SUSE-SU-2020:0114-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2, python3-doc-3.6.10-3.42.3
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Development Tools 15 (src):    python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2
SUSE Linux Enterprise Module for Basesystem 15 (src):    python3-3.6.10-3.42.2, python3-base-3.6.10-3.42.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 21 Swamp Workflow Management 2020-01-21 20:21:27 UTC

openSUSE-SU-2020:0086-1: An update that solves 26 vulnerabilities and has 30 fixes is now available.

Category: security (important)
Bug References: 1027282,1029377,1029902,1040164,1042670,1070853,1079761,1081750,1083507,1086001,1088004,1088009,1088573,1094814,1107030,1109663,1109847,1120644,1122191,1129346,1130840,1133452,1137942,1138459,1141853,1149121,1149792,1149955,1151490,1153238,1159035,1159622,637176,658604,673071,709442,743787,747125,751718,754447,754677,787526,809831,831629,834601,871152,885662,885882,917607,942751,951166,983582,984751,985177,985348,989523
CVE References: CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-4238,CVE-2014-2667,CVE-2014-4650,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-18207,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20406,CVE-2018-20852,CVE-2019-10160,CVE-2019-15903,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947
Sources used:
openSUSE Leap 15.1 (src):    python3-3.6.10-lp151.6.7.1, python3-base-3.6.10-lp151.6.7.1

Comment 22 Swamp Workflow Management 2020-01-24 20:21:01 UTC

SUSE-SU-2020:0234-1: An update that solves 37 vulnerabilities and has 50 fixes is now available.

Category: security (important)
Bug References: 1027282,1041090,1042670,1068664,1073269,1073748,1078326,1078485,1079300,1081750,1083507,1084650,1086001,1088004,1088009,1109847,1111793,1113755,1122191,1129346,1130840,1130847,1138459,1141853,1149792,1149955,1153238,1153830,1159035,214983,298378,346490,367853,379534,380942,399190,406051,425138,426563,430761,432677,436966,437293,441088,462375,525295,534721,551715,572673,577032,581765,603255,617751,637176,638233,658604,673071,682554,697251,707667,718009,747125,747794,751718,754447,766778,794139,804978,827982,831442,834601,836739,856835,856836,857470,863741,885882,898572,901715,935856,945401,964182,984751,985177,985348,989523,997436
CVE References: CVE-2007-2052,CVE-2008-1721,CVE-2008-2315,CVE-2008-2316,CVE-2008-3142,CVE-2008-3143,CVE-2008-3144,CVE-2011-1521,CVE-2011-3389,CVE-2011-4944,CVE-2012-0845,CVE-2012-1150,CVE-2013-1752,CVE-2013-1753,CVE-2013-4238,CVE-2014-1912,CVE-2014-4650,CVE-2014-7185,CVE-2016-0772,CVE-2016-1000110,CVE-2016-5636,CVE-2016-5699,CVE-2017-1000158,CVE-2017-18207,CVE-2018-1000030,CVE-2018-1000802,CVE-2018-1060,CVE-2018-1061,CVE-2018-14647,CVE-2018-20852,CVE-2019-10160,CVE-2019-16056,CVE-2019-16935,CVE-2019-5010,CVE-2019-9636,CVE-2019-9947,CVE-2019-9948
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    python-2.7.17-7.32.2, python-doc-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    python-2.7.17-7.32.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    python-2.7.17-7.32.2, python-base-2.7.17-7.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 28 OBSbugzilla Bot 2020-11-27 16:45:50 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/851367 Factory / python36

Comment 30 OBSbugzilla Bot 2020-12-01 18:25:59 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/852415 Factory / python36

Comment 32 OBSbugzilla Bot 2020-12-05 17:35:45 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/853277 Factory / python36

Comment 33 OBSbugzilla Bot 2020-12-05 19:15:58 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/853314 Factory / python36

Comment 36 OBSbugzilla Bot 2020-12-17 18:16:08 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/856737 Factory / python36

Comment 37 OBSbugzilla Bot 2021-10-06 14:45:45 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/923499 Factory / python36

Comment 38 OBSbugzilla Bot 2021-10-22 08:46:07 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/926876 Factory / python36

Comment 39 OBSbugzilla Bot 2022-02-06 22:31:26 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/951983 Factory / python

Comment 40 OBSbugzilla Bot 2022-02-09 19:11:42 UTC

This is an autogenerated message for OBS integration:
This bug (989523) was mentioned in
https://build.opensuse.org/request/show/953031 Factory / python