Wednesday, July 20, 2016

Security notification: httpoxy A CGI application vulnerability (CVE-2016-5385, CVE-2016-5387, CVE-2016-1000110)


On July 18th, a vulnerability named ‘HTTPoxy’ was announced, affecting some server-side web applications that run in CGI or CGI-like environments, such as some FastCGI configurations.

A number of CVEs have been assigned, covering specific languages and CGI implementations:
  • CVE-2016-5385: PHP
  • CVE-2016-5386: Go
  • CVE-2016-5387: Apache HTTP Server
  • CVE-2016-5388: Apache Tomcat
  • CVE-2016-1000109: HHVM
  • CVE-2016-1000110: Python
More information about the vulnerability can be found on the httpoxy website.

Any PHP-based, Python-based or Tomcat-based Bitnami application is affected by this security issue.

We believe it is of the utmost importance to quickly address any security issues in applications distributed by Bitnami and our team is working to update all of the affected Cloud Images, Virtual Machines and Native Installers available through Bitnami.

Please take a moment to check if your image is vulnerable by following the instructions in the security section of our wiki.

You can mitigate the issue by blocking the Proxy request headers as early as possible, and before they hit your application. This is easy and safe.

Apache


  • Modify the <IfModule headers_module> in the /opt/bitnami/apache2/conf/httpd.conf file of Apache to unset the Proxy header. It will look like this:
...
<IfModule headers_module>
    RequestHeader unset Proxy
    ...
</IfModule>
... 

  •  Save the file and restart the service of Apache
sudo /opt/bitnami/ctlscript.sh restart apache 

Nginx


  • Add this line at the end of the file at /opt/bitnami/nginx/conf/fastcgi_params.
fastcgi_param  HTTP_PROXY "";

  • Save the file and restart the service of Nginx
sudo /opt/bitnami/ctlscript.sh restart nginx 


If you have any questions about this process, please post to our community support forum and we will be happy to help!

Update: 2016-07-22


The Bitnami Team has been working on releasing all the affected stacks in the different cloud vendors and we have to announce that the images of Google, Azure, 1&1 and GoDaddy have been updated properly. 

We continue working on releasing pending cloud platforms, virtual machines and the native installers. 

Update: 2016-07-26


All the cloud images, virtual machines and native installers that were affected by this security issue have been successfully patched and they are already available through Bitnami and our cloud partners. 

If you are using a Bitnami Cloud Hosting instance, you can easily patch it following the guide above while we upgrade the base image. 

Update: 2016-07-29


We patched the base images of Bitnami Cloud Hosting successfully and you can now launch a non-affected instance using Bitnami. You can also check the bundled components of the new images using this link