CVE-2016-5388
CGI vulnerability in org.apache.tomcat:tomcat-catalina

What is CVE-2016-5388 About?

Apache Tomcat versions 7.x through 7.0.70 and 8.x through 8.5.4, when configured with the CGI Servlet, are susceptible to an "httpoxy" issue. This allows remote attackers to redirect outbound HTTP traffic by injecting a crafted Proxy header, making it an easy way to manipulate an application's external communications. Its impact includes potential exfiltration of internal data or redirection to malicious proxies.

Affected Software

Technical Details

Apache Tomcat, specifically versions 7.x up to 7.0.70 and 8.x up to 8.5.4, when utilizing the CGI Servlet, adheres to RFC 3875 section 4.1.18. This RFC dictates that HTTP headers starting with `HTTP_` are passed as environment variables to CGI scripts. The 'httpoxy' vulnerability arises when an attacker sends an HTTP request containing a `Proxy` header. CGI environments, following the RFC, convert this `Proxy` header into an `HTTP_PROXY` environment variable. Many client libraries and applications, when making outbound HTTP requests, check the `HTTP_PROXY` environment variable to determine if a proxy should be used. By injecting a crafted `Proxy` header, a remote attacker can force the vulnerable Tomcat instance's CGI applications to route their outbound HTTP traffic through an attacker-controlled proxy, effectively allowing man-in-the-middle attacks on the server's own outbound connections.

What is the Impact of CVE-2016-5388?

Successful exploitation may allow attackers to redirect outbound HTTP traffic from the server's applications to an arbitrary proxy server, potentially enabling data exfiltration, interception of sensitive communications, or access to internal network resources.

What is the Exploitability of CVE-2016-5388?

Exploitation of the httpoxy vulnerability is of low to moderate complexity and is primarily remote. It requires no authentication or special privileges on the target server, only the ability to send HTTP requests to a vulnerable Apache Tomcat instance where the CGI Servlet is enabled. The vulnerability is triggered by including a crafted `Proxy` header in a standard HTTP request. The presence of the `HTTP_PROXY` environment variable is a well-known mechanism used by many client libraries for proxy configuration, which increases the likelihood of an application being affected. Prerequisites include the CGI Servlet being active and the CGI application making outbound HTTP requests using libraries that honor the `HTTP_PROXY` environment variable. The ease of exploitation is high given the simplicity of sending a malformed header.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2016-5388?

Available Upgrade Options

• org.apache.tomcat:tomcat-catalina
  • >7.0.0, <7.0.72 → Upgrade to 7.0.72
• org.apache.tomcat:tomcat-catalina
  • >8.0.0, <8.5.5 → Upgrade to 8.5.5

Additional Resources

• https://github.com/apache/tomcat
• https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
• https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39@%3Cusers.tomcat.apache.org%3E
• https://rhn.redhat.com/errata/RHSA-2016-2046.html
• https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
• https://access.redhat.com/errata/RHSA-2016:1636
• https://www.apache.org/security/asf-httpoxy-response.txt
• https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
• https://nvd.nist.gov/vuln/detail/CVE-2016-5388
• https://github.com/apache/tomcat/commit/1b91e91194a095ea922f96d1dccddf6fbc446e54

What are Similar Vulnerabilities to CVE-2016-5388?

Similar Vulnerabilities: CVE-2016-5387 , CVE-2016-5386 , CVE-2016-5389 , CVE-2016-5390 , CVE-2016-5391