CVE-2016-5387 HTTPOXY

Background Information

On Monday, July 18, 2016, Apache disclosed a vulnerability that affects application code which runs in CGI, or CGI-like environments. This includes the mod_php and php-fpm Apache modules, among others. For more information on this vulnerability, read the HTTPOXY website.

Impact

Environments vulnerable to this exploit include any that run PHP or CGI, and use the HTTP_PROXY variable to configure outgoing proxies.

Releases

Apache released a patch for all versions of Apache 2.2 and Apache 2.4.

cPanel & WHM released patched Apache binaries for EasyApache 3 in the 3.34.2 release on July 20, 2016, and for EasyApache 4 in the July 21, 2016, release.

How to determine if your server is up-to-date

In EasyApache 3, either navigate to the EasyApache 3 interface (WHM >> Home >> Software >> EasyApache 3) or run the /usr/local/cpanel/scripts/easyapache script and ensure that your EasyApache 3 version is 3.34.2 or higher.

In EasyApache 4, the updated RPMs provided will contain a changelog entry with a CVE number. To view this changelog entry, run the following command:

rpm -q --changelog ea-apache24 | grep CVE-2016-5387

The output will resemble the following:

- Apply recommendations in asf-httpoxy-repsponse.txt for CVE-2016-5387

What to do if you are not up-to-date

We released patched Apache binaries for EasyApache 3 on July 20, 2016, and for EasyApache 4 on July 21, 2016. To update your server, perform one of the following steps:

• Run an EasyApache 3 build to update your system to version 3.34.2.
• In EasyApache 4, run the yum update command and ensure that you get an updated package of at least ea-apache24-2.4.23-2

Manual mitigation via mod_headers

EasyApache 3

To mitigate this issue before cPanel releases the update, you can update the mod_headers Apache module to remove the "Proxy:" header from all incoming requests. Add the following lines to your /usr/local/apache/conf/httpd.conf file:

1
2
3
4
5
6
7
8

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

EasyApache 4

To mitigate this issue before cPanel releases the update, you can update the mod_headers Apache module to remove the "Proxy:" header from all incoming requests. Add the following lines to your /etc/apache2/conf/httpd.conf file:

1
2
3
4
5
6
7
8

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

Manual mitigation via ModSecurity

If you use ModSecurity®, you can add a custom ModSecurity rule to deny traffic with a Proxy header. To add this rule, perform the following steps:

1. Navigate to WHM’s ModSecurity® Configuration interface (WHM >> Home >> Security Center >> ModSecurity® Configuration).
2. Select Process the Rules in the Rules Engine section.
3. Click Save.
4. Navigate to WHM’s Modsecurity® Tools interface (WHM >> Home >> Security Center >> ModSecurity® Tools).
5. Click Rules List. A new interface will appear.
6. Click Add Rule. A new interface will appear.
7. Enter the following rule in the Rule Text text box:

   SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"

8. To enable the rule when you deploy the configuration, select the Enable Rule checkbox.
9. To deploy the rule and restart Apache immediately, select the Deploy and Restart Apache checkbox.
10. Click Save.
    Warning:

    This exploit has the potential to affect many different applications. If you experience trouble with other applications after you update your system, you must contact the application developer for further assistance.

If you still experience issues or need additional help, contact cPanel Support