HTTPoxy Patch and Mitigation Link
HTTPoxy Status
HTTPoxy is a CGI bug that relates to how webservers and applications deal with certain environment variables. It's the latest and greates BWAIN (Bug with an Interesting Name). There are two independent way to protect yourself from this bug and the manner that is best for you or your organization will depend on how you've implemented your systems. At it's core is a difference between what the CGI Spec (RFC 3875) says should happen and what is expected by application developers.
What's Affected
There are 6 basic main categories of products that are currently affected by HTTPoxy:
- CVE-2016-5385 - PHP
- CVE-2016-5386 - Go
- CVE-2016-5387 - Apache HTTP
- CVE-2016-5388 - Apache Tomcat
- CVE-2016-1000109 - HHVM
- CVE-2016-1000110 - Python
Additionally there's a numbe of other projects based off stuff like this that's vulnerable to HTTPoxy. Please don't view this as a comphrehensive list:
Mitigation
The fastest way to "fix" your infrastructure is to mitigate the problem. The fastest way to "fix" this (generally) is to apply one of the mitigations available. The HTTPoxy site has a list of mitigations that are available:
| Project | Mitigation Available |
|---|---|
| NGINX + FastCGI | ✓ |
| Apache | ✓ |
| HAProxy | ✓ |
| Varnish | ✓ |
| relayd | ✓ |
| lighttpd | ✓ |
| lighttpd2 | ✓ |
| MS IIS + PHP | ✓ |
Patching
Additionally there's a number of patches being worked on that should remove the potential for this vulnerability. A hat tip should go to the `libwww-perl <https://github.com/libwww-perl/libwww-perl>`__, `curl <https://curl.haxx.se/>`__ and Ruby projects for patching and noticing this conflict before it became an issue. Because of the number of things that could be patched I'm limiting the amount of systems I'm checking to just the main 5 (Last Update 1469118992):
| Distro | PHP Status | Go Status | Apache HTTP Status | Apache Tomcat | HHVM Status | Python Status |
|---|---|---|---|---|---|---|
| Red Hat | In Progress | In Progess | Mostly Patched | In Progress | N/A | In Progress |
| Canonical | In Progress | In Progress | Patched | In Progress | Unknown | Unknown |
| Debian | In Progress | In Progress | Patched | Partially Patched | Reserved | Reserved |
| Suse | Patched | Unknown | Patched | Unknown | Unknown | Unknown |
| FreeBSD1 | No Patch | Mostly Patched | Patched | No Patch | Not Supported | No Patch |
Other Readings
Technical Articles and References
Here is a list of information posts with good technical details that you'll find useful in your own research.
- HTTPoxy. "A CGI application vulnerability for PHP, Go, Python and others". httpoxy. July 19th 2016.
- CERT. "Vulnerability Note VU#797896". Vulnerability Notes Database. July 18th 2016.
- Ellingwood, Justin. "How to Protect Your Server Against the HTTPoxy Vulnerability". DigitalOcean Community. July 18th 2016.
- Scheirlinck, Dominic. "How 'The Internet’s Biggest Blind Spot' lead to a 15 year old security vulnerability". We Build Vend. July 18th 2016.
- Scheirlinck, Dominic. "What is httpoxy? An explanation for non-technical audiences."We Build Vend. July 18th 2016.
- Brehm, Till. "HTTPOXY Vulnerability: How to protect and test your web server". Howto Fore. July 20th 2016.
News Articles
Here are some various news articles I've found on HTTPoxy that seem to have some good information about this issue.
- Ducklin, Paul. "HTTPoxy – the disease that could make your web server spring a leak". naked security. July 19th 2016.
- Pauli, Darren. "15-year-old security hole HTTPoxy returns to menace websites – it has a name, logo too". The Register. July 18th 2016.
- Zorz, Zeljka. "Widespread httpoxy vulnerabilities affect server-side web apps". Help Net Security. July 19th 2016.
- Osborne, Charlie. "15-year-old httpoxy flaw causes developer patch scramble". ZDNet. July 19th 2016.
- Cancellari, Nic. "httpoxy - the lurking bug with HTTP_PROXY that escaped patching widely for 15 years". peerlyst. July 20th 2016.
Vendor Responses
I've compiled some vendor responses to this issue. If you have one let me know and I'll update. It should be noted that I work for VDMS so I tossed it at the top of the list.
Appendix
- FreeBSD's VuXML page for this issue seems to have been taken down. Per their commit:
Remove HTTPoxy entry in vuxml until a we know if upstream vendors will patch this so things aren't marked vulnerable forever.