Description

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Remediation

References

http://www.kb.cert.org/vuls/id/797896

https://httpoxy.org/

https://www.apache.org/security/asf-httpoxy-response.txt

http://www.securitytracker.com/id/1036331

http://rhn.redhat.com/errata/RHSA-2016-2045.html

http://rhn.redhat.com/errata/RHSA-2016-2046.html

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

http://www.securityfocus.com/bid/91818

https://access.redhat.com/errata/RHSA-2016:1635

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html

http://rhn.redhat.com/errata/RHSA-2016-1624.html

https://access.redhat.com/errata/RHSA-2016:1636

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E

https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2017-16042 Vulnerability in maven package org.webjars.npm:growl

CVE-2022-3509 Vulnerability in maven package com.google.protobuf:protobuf-javalite

CVE-2021-28162 Vulnerability in npm package @wiptheia/core

CVE-2022-38639 Vulnerability in npm package markdown-nice

CVE-2022-27952 Vulnerability in npm package payload

Severity

Critical

Classification

CWE-284 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Third Party Advisory US Government Resource Vendor Advisory VDB Entry Patch Release Notes