CVE-2016-5388
First published: Fri Jul 08 2016(Updated: )
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat:tomcat-catalina | >=8.0.0<8.5.5 | 8.5.5 |
| maven/org.apache.tomcat:tomcat-catalina | >=7.0.0<7.0.72 | 7.0.72 |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.2 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.2 | |
| Red Hat Enterprise Linux Server | =7.2 | |
| Red Hat Enterprise Linux Server | =7.2 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| HP System Management Homepage | <=7.5.5.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux HPC Node | =6.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Oracle Linux | =6 | |
| Oracle Linux | =7 | |
| Tomcat | >=6.0<=6.0.45 | |
| Tomcat | >=7.0<=7.0.70 | |
| Tomcat | >=8.0<=8.5.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
- http://rhn.redhat.com/errata/RHSA-2016-1624.html
- http://rhn.redhat.com/errata/RHSA-2016-2045.html
- http://rhn.redhat.com/errata/RHSA-2016-2046.html
- http://www.kb.cert.org/vuls/id/797896
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.securityfocus.com/bid/91818
- http://www.securitytracker.com/id/1036331
- https://access.redhat.com/errata/RHSA-2016:1635
- https://access.redhat.com/errata/RHSA-2016:1636
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://httpoxy.org/
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39%40%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
- https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
- https://www.apache.org/security/asf-httpoxy-response.txt
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03770en_us
- https://launchpad.net/bugs/cve/CVE-2016-5388
- https://rhn.redhat.com/errata/RHSA-2016-1624.html
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1199336&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1199336&action=edit
- https://svn.apache.org/viewvc?view=revision&revision=1756941
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1375581
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1375582
- https://rhn.redhat.com/errata/RHSA-2016-2046.html
- https://rhn.redhat.com/errata/RHSA-2016-2045.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1353809
- https://nvd.nist.gov/vuln/detail/CVE-2016-5388
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/6b414817c2b0bf351138911c8c922ec5dd577ebc0b9a7f42d705752d@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/6d3d34adcf3dfc48e36342aa1f18ce3c20bb8e4c458a97508d5bfed1@%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r2853582063cfd9e7fbae1e029ae004e6a83482ae9b70a698996353dd@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc6b2147532416cc736e68a32678d3947b7053c3085cf43a9874fd102@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf21b368769ae70de4dee840a3228721ae442f1d51ad8742003aefe39@%3Cusers.tomcat.apache.org%3E
- https://access.redhat.com/errata/RHSA-2016:1624
- https://access.redhat.com/errata/RHSA-2016:2045
- https://access.redhat.com/errata/RHSA-2016:2046
- https://access.redhat.com/security/cve/CVE-2016-5388
- https://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
- https://www.kb.cert.org/vuls/id/797896
- https://github.com/apache/tomcat/commit/1b91e91194a095ea922f96d1dccddf6fbc446e54
- https://github.com/apache/tomcat/commit/880250877b0643956435282afb9c111450cfff4c
- https://github.com/apache/tomcat/commit/fb3569fbb9a2f55459aa8e1e22bc35a737e66329
- https://github.com/advisories/GHSA-v646-rx6w-r3qq (Advisory)
- https://svn.apache.org/r1756941
- https://svn.apache.org/r1756942
- https://security-tracker.debian.org/tracker/CVE-2016-5388
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388
- https://ubuntu.com/security/CVE-2016-5388
Frequently Asked Questions
What is the severity of CVE-2016-5388?
CVE-2016-5388 has a medium severity rating as it allows for potential remote code execution due to improper handling of untrusted client data.
How do I fix CVE-2016-5388?
To fix CVE-2016-5388, upgrade to Apache Tomcat version 7.0.72, 8.5.5, or higher, or apply the respective patch provided by your software supplier.
What versions of Apache Tomcat are affected by CVE-2016-5388?
Apache Tomcat versions 7.0.0 to 7.0.70 and 8.0 to 8.5.4 are affected by CVE-2016-5388.
Can CVE-2016-5388 be exploited remotely?
Yes, CVE-2016-5388 can be exploited remotely if the CGI Servlet is enabled, allowing attackers to redirect applications.
Is CVE-2016-5388 related to client data security?
Yes, CVE-2016-5388 is related to client data security, specifically regarding the handling of untrusted data in the HTTP_PROXY environment variable.
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5388
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-v646-rx6w-r3qq
- agent/software-canonical-lookup
- agent/severity
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/event
- agent/description
- agent/last-modified-date
- agent/trending
- collector/security-tracker-debian
- source/Debian
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/maven
- package-manager/debian
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- version/red hat enterprise linux hpc node/7.2
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.2
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/hp
- canonical/hp system management homepage
- version/hp system management homepage/7.5.5.0
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux hpc node/6.0
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux workstation/6.0
- vendor/oracle
- canonical/oracle linux
- version/oracle linux/6
- version/oracle linux/7
- vendor/apache
- canonical/tomcat
- version/tomcat/6.0
- version/tomcat/6.0.45
- version/tomcat/7.0
- version/tomcat/7.0.70
- version/tomcat/8.0
- version/tomcat/8.5.4