Amazon Linux AMI update for httpd24, httpd

Published: 2016-07-20

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2016-5387
CWE-ID	CWE-284
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Httpoxy issue

EUVDB-ID: #VU337

Risk: Medium

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2016-5387

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information and compromise vulnerable server.

The vulnerability exists due to a design error in multiple implementations of web servers. A remote unauthenticated attacker can use a specially crafted Proxy header in HTTP request to influence HTTP_PROXY environment variable and redirect application’s HTTP traffic to arbitrary proxy server.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to sensitive information and compromise vulnerable server.

This vulnerability is known as httppoxy.

Mitigation

Update the affected packages.

i686:
    mod24_session-2.4.23-1.65.amzn1.i686
    httpd24-devel-2.4.23-1.65.amzn1.i686
    httpd24-2.4.23-1.65.amzn1.i686
    httpd24-debuginfo-2.4.23-1.65.amzn1.i686
    httpd24-tools-2.4.23-1.65.amzn1.i686
    mod24_proxy_html-2.4.23-1.65.amzn1.i686
    mod24_ssl-2.4.23-1.65.amzn1.i686
    mod24_ldap-2.4.23-1.65.amzn1.i686
    httpd-debuginfo-2.2.31-1.8.amzn1.i686
    httpd-tools-2.2.31-1.8.amzn1.i686
    httpd-2.2.31-1.8.amzn1.i686
    mod_ssl-2.2.31-1.8.amzn1.i686
    httpd-devel-2.2.31-1.8.amzn1.i686

noarch:
    httpd24-manual-2.4.23-1.65.amzn1.noarch
    httpd-manual-2.2.31-1.8.amzn1.noarch

src:
    httpd24-2.4.23-1.65.amzn1.src
    httpd-2.2.31-1.8.amzn1.src

x86_64:
    httpd24-2.4.23-1.65.amzn1.x86_64
    mod24_proxy_html-2.4.23-1.65.amzn1.x86_64
    mod24_ssl-2.4.23-1.65.amzn1.x86_64
    httpd24-tools-2.4.23-1.65.amzn1.x86_64
    mod24_session-2.4.23-1.65.amzn1.x86_64
    httpd24-devel-2.4.23-1.65.amzn1.x86_64
    httpd24-debuginfo-2.4.23-1.65.amzn1.x86_64
    mod24_ldap-2.4.23-1.65.amzn1.x86_64
    httpd-2.2.31-1.8.amzn1.x86_64
    httpd-devel-2.2.31-1.8.amzn1.x86_64
    mod_ssl-2.2.31-1.8.amzn1.x86_64
    httpd-tools-2.2.31-1.8.amzn1.x86_64
    httpd-debuginfo-2.2.31-1.8.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2016-725.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.