Multiple CVEs: httpoxy

Low

Vendor

Cloud Foundry

Versions Affected

• Go Buildpack versions prior to 1.7.10
• PHP Buildpack versions prior to 4.3.17

Description

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It involves to a namespace conflict which leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications that may allow an attacker to proxy the outgoing HTTP requests made by the web application, direct the server to open outgoing connections to an address and port of their choosing, or tie up server resources by forcing the vulnerable software to use a malicious proxy.

Multiple CVEs were released for httpoxy, including the following that affected Cloud Foundry.

• CVE-2016-5385: PHP
• CVE-2016-5386: Go
• CVE-2016-5387: Apache HTTP Server

Mitigation

Users of affected versions should apply the following mitigation:

• Upgrade the Go Buildpack to the latest version [2] and restage all applications that use automated buildpack detection.
• Upgrade the PHP Buildpack to the latest version [3] and restage all applications that use automated buildpack detection.

References

• [1] <https://httpoxy.org/&gt;
• [2] <https://github.com/cloudfoundry/go-buildpack/releases&gt;
• [3] https://github.com/cloudfoundry/go-buildpack/releases