Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Status
colourGreen
titleRESOLVED


 

Background Information

On Monday, July 18, 2016, Apache disclosed a vulnerability that affects application code which runs in CGI, or CGI-like environments. This includes the mod_php and php-fpm Apache modules, among others. For more information on this vulnerability, read the HTTPOXY website


 

Impact

Environments vulnerable to this exploit include any that run PHP or CGI, and use the HTTP_PROXY variable to configure outgoing proxies.

Releases

Apache released a patch for all versions of Apache 2.2 and Apache 2.4.

cPanel & WHM released patched Apache binaries for EasyApache 3 in the 3.34.2 release on July 20, 2016, and for EasyApache 4 in the July 21, 2016, release.

How to determine if your server is up-to-date

In EasyApache 3, either navigate to the EasyApache 3 interface (WHM >> Home >> Software >> EasyApache 3) or run the /scripts/easyapache script and ensure that your EasyApache 3 version is 3.34.2 or higher. 

In EasyApache 4, the updated RPMs provided will contain a changelog entry with a CVE number. To view this changelog entry run the following command:

Code Block
languagetext
rpm -q --changelog ea-apache24 | grep CVE-2016-5387

The output will resemble the following:

Code Block
languagetext
- Apply recommendations in asf-httpoxy-repsponse.txt for CVE-2016-5387

What to do if you are not up-to-date

We released patched Apache binaries for EasyApache 3 on July 20, 2016, and for EasyApache 4 on July 21, 2016. To update your server, perform one of the following steps:

  • Run an EasyApache 3 build to update your system to version 3.34.2. 
  • In EasyApache 4, run the yum update command and ensure that you get an updated package of at least ea-apache24-2.4.23-2

Manual mitigation via mod_headers

EasyApache 3

To mitigate this issue before cPanel releases the update, you can update the mod_headers Apache module to remove the "Proxy:" header from all incoming requests. Add the following lines to your /usr/local/apache/conf/httpd.conf file: 

Code Block
languagebash
linenumberstrue
<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>
EasyApache 4

To mitigate this issue before cPanel releases the update, you can update the mod_headers Apache module to remove the "Proxy:" header from all incoming requests. Add the following lines to your /etc/apache2/conf/httpd.conf file: 

Code Block
languagebash
linenumberstrue
<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

Manual mitigation via ModSecurity

If you use ModSecurity™, you can add a custom ModSecurity rule to deny traffic with a Proxy header. To add this rule, perform the following steps:

  1. Navigate to WHM's CVE-2016-5387 HTTPOXY interface (WHM >> Home >> Security Center >> ModSecurity Configuration).
  2. Select Process the Rules in the Rules Engine section.  
  3. Click Save.
  4. Navigate to WHM's CVE-2016-5387 HTTPOXY interface (WHM >> Home >> Security Center >> ModSecurity Tools).
  5. Click Rules List. A new interface will appear.
  6. Click Add Rule.  A new interface will appear. 
  7. Enter the following rule in the Rule Text text box: 

    Code Block
    languagetext
    SecRule &REQUEST_HEADERS:Proxy "@gt 0" "id:1000005,log,deny,msg:'httpoxy denied'"


  8. To enable the rule when you deploy the configuration, select the Enable Rule checkbox.
  9. To deploy the rule and restart Apache immediately, select the Deploy and Restart Apache checkbox.
  10. Click Save

 

Warning
titleWarning:

This exploit has the potential to affect many different applications. If you experience trouble with other applications after you update your system, you must contact the application developer for further assistance.

If you still experience issues or need additional help, contact  cPanel support.

Additional documentation

Localtab Group


Localtab
activetrue
titleSuggested documentation

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ea3","ea4","security") and label = "whm" and space = currentSpace()


Localtab
titleFor cPanel users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ea3","ea4","security") and label = "cpanel" and space = "DOC"


Localtab
titleFor WHM users

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ea3","ea4","security") and label = "whm" and space in (currentSpace(),"DOC")


Localtab
titleFor developers

Content by Label
showLabelsfalse
max5
showSpacefalse
cqllabel in ("ea3","ea4","security") and space = "DD"