Vulnerability CVE-2016-5387: Information

Description

The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.

Severity: HIGH (8.1) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-5387

Published: July 19, 2016

Modified: Nov. 7, 2023

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
apache2	sisyphus	2.4.25-alt1	2.4.59-alt1	ALT-PU-2017-1655-1	183315	Fixed
apache2	p10	2.4.25-alt1	2.4.59-alt1	ALT-PU-2017-1655-1	183315	Fixed
apache2	p9	2.4.25-alt1	2.4.58-alt1	ALT-PU-2017-1655-1	183315	Fixed
apache2	p8	2.4.25-alt2.M80P.1	2.4.43-alt1	ALT-PU-2017-1750-1	184324	Fixed
apache2	c10f1	2.4.25-alt1	2.4.59-alt1	ALT-PU-2017-1655-1	183315	Fixed
apache2	c9f2	2.4.25-alt1	2.4.59-alt1	ALT-PU-2017-1655-1	183315	Fixed
apache2	c7	2.2.31-alt1.M70C.1	2.2.31-alt1.M70C.1	ALT-PU-2016-2274-1	172115	Fixed
apache2	p11	2.4.25-alt1	2.4.59-alt1	ALT-PU-2017-1655-1	183315	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
VU#797896	Third Party Advisory US Government Resource
https://httpoxy.org/	Third Party Advisory
https://www.apache.org/security/asf-httpoxy-response.txt	Vendor Advisory
1036330	Broken Link Third Party Advisory VDB Entry
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html	Third Party Advisory
RHSA-2016:1650	Broken Link Third Party Advisory
RHSA-2016:1648	Third Party Advisory
RHSA-2016:1649	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149	Third Party Advisory
openSUSE-SU-2016:1824	Mailing List Third Party Advisory
RHSA-2016:1635	Third Party Advisory
RHSA-2016:1625	Broken Link Third Party Advisory
RHSA-2016:1422	Third Party Advisory
RHSA-2016:1851	Third Party Advisory
RHSA-2016:1421	Third Party Advisory
RHSA-2016:1420	Third Party Advisory
91816	Third Party Advisory VDB Entry
USN-3038-1	Third Party Advisory
RHSA-2016:1624	Broken Link Third Party Advisory
RHSA-2016:1636	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722	Third Party Advisory
DSA-3623	Third Party Advisory
GLSA-201701-36	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Patch Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us	Third Party Advisory
https://www.tenable.com/security/tns-2017-04	Third Party Advisory
https://support.apple.com/HT208221	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	Patch Third Party Advisory
FEDORA-2016-a29c65b00f
FEDORA-2016-df0726ae26
FEDORA-2016-9fd9bfab9e
FEDORA-2016-683d0b257b
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048743 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20190815 svn commit: r1048742 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058586 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20200401 svn commit: r1058587 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1073140 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/
[httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
[httpd-cvs] 20210330 svn commit: r1073146 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210330 svn commit: r1073146 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities-httpd.xml security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210330 svn commit: r1073149 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
[httpd-cvs] 20210603 svn commit: r1075360 [2/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210606 svn commit: r1075467 [2/2] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[httpd-cvs] 20210606 svn commit: r1075470 [3/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Affected configurations:
1. Configuration 1
  cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  Start including
  2.4.1
  End including
  2.4.23
  cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
  Start including
  2.2.0
  End including
  2.2.31
  
  Configuration 2
  cpe:2.3:a:hp:system_management_homepage:*:*:*:*:*:*:*:*
  End including
  7.5.5.0
  
  Configuration 3
  cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
  cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.2:*:*:*:*:*:*:*
  cpe:2.3:o:oracle:linux:5:-:*:*:*:*:*:*
  cpe:2.3:o:oracle:linux:6:-:*:*:*:*:*:*
  cpe:2.3:o:oracle:linux:7:-:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_user_data_repository:*:*:*:*:*:*:*:*
  Start including
  10.0.0
  End including
  12.4
  
  Configuration 4
  cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
  cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:a:redhat:jboss_web_server:2.1.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  
  Configuration 6
  cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  
  Configuration 7
  cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  
  Configuration 8
  cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  
  Configuration 9
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
  
  Configuration 10
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  
  Configuration 11
  cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
  
  Configuration 12
  cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
  cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2016-5387: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8

Configuration 9

Configuration 10

Configuration 11

Configuration 12