[ASA-201611-6] tomcat6: proxy injection

2016-11-02T00:00:00
ID ASA-201611-6
Type archlinux
Reporter ArchLinux
Modified 2016-11-02T00:00:00

Description

Arch Linux Security Advisory ASA-201611-6

Severity: Medium Date : 2016-11-02 CVE-ID : CVE-2016-5388 Package : tomcat6 Type : proxy injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE

Summary

The package tomcat6 before version 6.0.47-1 is vulnerable to proxy injection.

Resolution

Upgrade to 6.0.47-1.

pacman -Syu "tomcat6>=6.0.47-1"

The problem has been fixed upstream in version 6.0.47.

Workaround

None.

Description

It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

Impact

A remote attacker is able to use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.

References

https://www.apache.org/security/asf-httpoxy-response.txt https://access.redhat.com/security/cve/CVE-2016-5388