CVE-2016-5386
First published: Fri Jul 08 2016(Updated: )
Dominic Scheirlinck of VendHQ reports: Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTP_PROXY” environmental variable based on the header value. When this variable is used (in many cases automatically by various HTTP client libraries) any outgoing requests generated in turn from the attackers original request can be redirected to an attacker controlled proxy. This allows attackers to view potentially sensitive information, reply with malformed data, or to hold connections open causing a potential denial of service. The Go programming language can automatically populate the HTTP_PROXY environmental variable with a user supplied "Proxy" header.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Go | <1.6.3 | 1.6.3 |
| redhat/Go | <1.7 | 1.7 |
| Fedora | =23 | |
| Fedora | =24 | |
| Oracle Linux | =7 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.2 | |
| Red Hat Enterprise Linux Server | =7.2 | |
| Golang | >=1.0<1.6.3 | |
| Golang | =1.7-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.kb.cert.org/vuls/id/797896
- https://bugzilla.redhat.com/show_bug.cgi?id=1353798
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
- http://rhn.redhat.com/errata/RHSA-2016-1538.html
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://httpoxy.org/
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1357601
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1357602
- https://groups.google.com/forum/#!topic/golang-announce/7jZDOQ8f8tM
- https://access.redhat.com/security/cve/CVE-2016-5386
- https://golang.org/cl/25010
- https://golang.org/issue/16405
- https://golang.org/issue/16354
- https://golang.org/dl
- https://rhn.redhat.com/errata/RHSA-2016-1538.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7WGHKKCFP4PLVSWQKCM3FJJPEWB5ZNTU/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OR52UXGM6RKSCWF3KQMVZGVZVJ3WEESJ/
- https://www.ibm.com/support/pages/node/7182403 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-5386?
CVE-2016-5386 has a medium severity rating due to its potential impact on affected systems.
How do I fix CVE-2016-5386?
To fix CVE-2016-5386, you should upgrade the Go programming language to versions 1.6.3 or 1.7 or higher.
Which software versions are affected by CVE-2016-5386?
CVE-2016-5386 affects Go programming language versions prior to 1.6.3 and 1.7.
Is CVE-2016-5386 a remote vulnerability?
Yes, CVE-2016-5386 can be exploited remotely through manipulated proxy headers.
Who reported CVE-2016-5386?
CVE-2016-5386 was reported by Dominic Scheirlinck of VendHQ.
- agent/first-publish-date
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5386
- agent/software-canonical-lookup
- agent/trending
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/source
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/fedoraproject
- canonical/fedora
- version/fedora/23
- version/fedora/24
- vendor/oracle
- canonical/oracle linux
- version/oracle linux/7
- vendor/redhat
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.2
- vendor/golang
- canonical/golang
- version/golang/1.0
- version/golang/1.7-rc1