Skip to main content
ExLibris

Knowledge Assistant

BETA
 
  • Subscribe by RSS
  • Back
    Cross-Product

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      1. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. Cross-Product
    3. Knowledge Articles
    4. Apache vulnerability - CVE-2016-5387

    Apache vulnerability - CVE-2016-5387

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    No headers
    • Product: Apache
    • Product Version: 2.2.x and lower
    • Relevant for Installation Type: All environments

     

    Ex-Libris is aware of the new apache vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387) which involves HTTP_PROXY header and CGI (as described in https://httpoxy.org/).

     

    Several requirements must be fulfilled in order for an environment to be vulnerable:

    • Code needs to be running under a CGI-like context, where HTTP_PROXY becomes a real or emulated environment variable
    • An HTTP client that trusts HTTP_PROXY, and configures it as the proxy, must exist
    • That client, used within a request handler, must be making an HTTP (as opposed to HTTPS) request

     

    Our research found that:

    • In products where code is running under CGI the Perl client (LWP::HTTP) does not use the HTTP_PROXY variable and is therefore considered of low risk.
    • Products running apache tomcat are not running CGI.
    • Other products have no access to the web and are therefore considered of low risk.

     

    These conclusions are relevant only to code produced by Ex-Libris. CGI code installed by customers which was not supplied by ExLibris cannot be guaranteed to be safe.

     

    While the risk level of this vulnerability is deemed as LOW for Ex-Libris products, once an official version with the relevant fix is announced by apache, our development team will build and implement it in future releases.

     


    • Article last edited: 25-July-2016
    View article in the Exlibris Knowledge Center
    1. Back to top
      • Apache not loading, syntax error mod-jk file missing
      • Availability – Uptime Reports
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Knowledge Article
      Language
      English
      Product
      Cross-Product
    2. Tags
      1. 3rd party
      2. 3rd party products
      3. Apache
      4. Security
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved