CVE-2016-5387 HTTPOXY
Background Information
On Monday, July 18, 2016, Apache disclosed a vulnerability that affects application code which runs in CGI, or CGI-like environments. This includes the mod_php
and php-fpm
Apache modules, among others. For more information on this vulnerability, read the HTTPOXY website.
Impact
Environments vulnerable to this exploit include any that run PHP or CGI, and use the HTTP_PROXY
variable to configure outgoing proxies.
Releases
Apache released a patch for all versions of Apache 2.2 and Apache 2.4.
cPanel & WHM released patched Apache binaries for EasyApache 3 in the 3.34.2 release on July 20, 2016, and for EasyApache 4 in the July 21, 2016, release.
How to determine if your server is up-to-date
In EasyApache 3, either navigate to the EasyApache 3 interface (WHM >> Home >> Software >> EasyApache 3) or run the /usr/local/cpanel/scripts/easyapache
script and ensure that your EasyApache 3 version is 3.34.2
or higher.
In EasyApache 4, the updated RPMs provided will contain a changelog entry with a CVE number. To view this changelog entry, run the following command:
rpm -q --changelog ea-apache24 | grep CVE-2016-5387
The output will resemble the following:
- Apply recommendations in asf-httpoxy-repsponse.txt for CVE-2016-5387
What to do if you are not up-to-date
We released patched Apache binaries for EasyApache 3 on July 20, 2016, and for EasyApache 4 on July 21, 2016. To update your server, perform one of the following steps:
- Run an EasyApache 3 build to update your system to version 3.34.2.
- In EasyApache 4, run the
yum update
command and ensure that you get an updated package of at leastea-apache24-2.4.23-2
Manual mitigation via mod_headers
EasyApache 3
To mitigate this issue before cPanel releases the update, you can update the mod_headers
Apache module to remove the "Proxy:"
header from all incoming requests. Add the following lines to your /usr/local/apache/conf/httpd.conf
file:
|
|
EasyApache 4
To mitigate this issue before cPanel releases the update, you can update the mod_headers
Apache module to remove the "Proxy:"
header from all incoming requests. Add the following lines to your /etc/apache2/conf/httpd.conf
file:
|
|
Manual mitigation via ModSecurity
If you use ModSecurity®, you can add a custom ModSecurity rule to deny traffic with a Proxy header. To add this rule, perform the following steps:
- Navigate to WHM’s ModSecurity® Configuration interface (WHM >> Home >> Security Center >> ModSecurity® Configuration).
- Select Process the Rules in the Rules Engine section.
- Click Save.
- Navigate to WHM’s Modsecurity® Tools interface (WHM >> Home >> Security Center >> ModSecurity® Tools).
- Click Rules List. A new interface will appear.
- Click Add Rule. A new interface will appear.
- Enter the following rule in the Rule Text text box:
SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"
- To enable the rule when you deploy the configuration, select the Enable Rule checkbox.
- To deploy the rule and restart Apache immediately, select the Deploy and Restart Apache checkbox.
- Click Save.
Warning:
This exploit has the potential to affect many different applications. If you experience trouble with other applications after you update your system, you must contact the application developer for further assistance.
If you still experience issues or need additional help, contact cPanel Support