- Product: Apache
- Product Version: 2.2.x and lower
- Relevant for Installation Type: All environments
Ex-Libris is aware of the new apache vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5387) which involves HTTP_PROXY header and CGI (as described in https://httpoxy.org/).
Several requirements must be fulfilled in order for an environment to be vulnerable:
- Code needs to be running under a CGI-like context, where HTTP_PROXY becomes a real or emulated environment variable
- An HTTP client that trusts HTTP_PROXY, and configures it as the proxy, must exist
- That client, used within a request handler, must be making an HTTP (as opposed to HTTPS) request
Our research found that:
- In products where code is running under CGI the Perl client (LWP::HTTP) does not use the HTTP_PROXY variable and is therefore considered of low risk.
- Products running apache tomcat are not running CGI.
- Other products have no access to the web and are therefore considered of low risk.
These conclusions are relevant only to code produced by Ex-Libris. CGI code installed by customers which was not supplied by ExLibris cannot be guaranteed to be safe.
While the risk level of this vulnerability is deemed as LOW for Ex-Libris products, once an official version with the relevant fix is announced by apache, our development team will build and implement it in future releases.
- Article last edited: 25-July-2016