{
  "threat_severity" : "Important",
  "public_date" : "2016-07-18T00:00:00Z",
  "bugzilla" : {
    "description" : "HTTPD: sets environmental variable based on user supplied Proxy request header",
    "id" : "1353755",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1353755"
  },
  "cvss" : {
    "cvss_base_score" : "5.0",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an \"httpoxy\" issue.  NOTE: the vendor states \"This mitigation has been assigned the identifier CVE-2016-5387\"; in other words, this is not a CVE ID for a vulnerability.", "It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request." ],
  "acknowledgement" : "Red Hat would like to thank Scott Geary (VendHQ) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2016-09-12T00:00:00Z",
    "advisory" : "RHSA-2016:1851",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.6-77.SP1.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2016-09-12T00:00:00Z",
    "advisory" : "RHSA-2016:1851",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.6-77.SP1.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1421",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "httpd-0:2.2.3-92.el5_11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1421",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "httpd-0:2.2.15-54.el6_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1422",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "httpd-0:2.4.6-40.el7_2.4"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "httpd-0:2.2.26-54.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "jbcs-httpd24-0:1-3.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-4.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "mod_cluster-0:1.2.13-1.Final_redhat_1.1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "mod_cluster-native-0:1.2.13-3.Final_redhat_2.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "mod_jk-0:1.2.41-2.redhat_3.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1649",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6",
    "package" : "tomcat-native-0:1.1.34-5.redhat_1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "httpd22-0:2.2.26-56.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "jbcs-httpd24-0:1-3.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-4.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "mod_cluster-0:1.2.13-1.Final_redhat_1.1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "mod_cluster-native-0:1.2.13-3.Final_redhat_2.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "mod_jk-0:1.2.41-2.redhat_3.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1648",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7",
    "package" : "tomcat-native-0:1.1.34-5.redhat_1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 2.1",
    "release_date" : "2016-08-22T00:00:00Z",
    "advisory" : "RHSA-2016:1650",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.0",
    "release_date" : "2016-08-17T00:00:00Z",
    "advisory" : "RHSA-2016:1624",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1636",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6",
    "package" : "httpd24-0:2.4.6-62.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1636",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6",
    "package" : "tomcat7-0:7.0.59-51_patch_01.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1636",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6",
    "package" : "tomcat8-0:8.0.18-62_patch_01.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1635",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7",
    "package" : "httpd24-0:2.4.6-62.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1635",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7",
    "package" : "tomcat7-0:7.0.59-51_patch_01.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2016-08-18T00:00:00Z",
    "advisory" : "RHSA-2016:1635",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7",
    "package" : "tomcat8-0:8.0.18-62_patch_01.ep7.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "httpd24-httpd-0:2.4.18-11.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "httpd24-httpd-0:2.4.18-11.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "httpd24-httpd-0:2.4.18-11.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "httpd24-httpd-0:2.4.18-11.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "httpd24-httpd-0:2.4.18-11.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS",
    "release_date" : "2016-07-18T00:00:00Z",
    "advisory" : "RHSA-2016:1420",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "httpd24-httpd-0:2.4.18-11.el7"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2016-08-17T00:00:00Z",
    "advisory" : "RHSA-2016:1625",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Affected",
    "package_name" : "httpd22",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Will not fix",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5387\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5387\nhttps://access.redhat.com/security/vulnerabilities/httpoxy\nhttps://httpoxy.org/\nhttps://www.apache.org/security/asf-httpoxy-response.txt" ],
  "csaw" : true,
  "name" : "CVE-2016-5387"
}