Hewlett Packard Enterprise Product Security Vulnerability Alerts

HTTP_PROXY Environment Variable Handling Vulnerability ("Multiple CVEs")

Version 3.0 :  Last Updated: January 5th, 2017

This website is updated frequently, as new product information becomes available.

On July 18th, 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information.

A number of CVEs have been assigned, covering specific languages and CGI implementations:

  • CVE-2016-5385 (PHP)
  • CVE-2016-5386 (Go)
  • CVE-2016-5387 (Apache HTTP Server)
  • CVE-2016-5388 (Apache Tomcat)
  • CVE-2016-1000109 (HHVM)
  • CVE-2016-1000110 (Python).
  • CVE-2016-1000104 (mod_fcgi)
  • CVE-2016-1000105 (Nginx CGI script)
  • CVE-2016-1000107 (Erlang HTTP Server)
  • CVE-2016-1000108 (YAWS)
  • CVE-2016-1000111 (Python twisted)

Additional information about the vulnerability is available on the NIST website.

Usage Instructions and Definitions for CVE Vulnerability Information

Data

Definition

Product Family

High-level product description.

Product Name

Detailed product description.

CVE-XXXX

Indicates whether the specific product is affected by the cited vulnerability.

(Impacted Y/N)

Impacted

Indicates whether the specific product is directly affected by the cited vulnerability or is indirectly affected due to a dependence on a separate, embedded or associated product.

Direct/Indirect

If Impacted

Information regarding how to address a vulnerability.

Mitigation Info

Notes

Miscellaneous information regarding the vulnerability.

Link to Security Bulletin

Link to HPE's Security Bulletin

 

Use the following table to find vulnerability information.

Product Category

Product

Sub- Category

Product Name

HTTPoxy (impacted Y/N)

If Impacted - Mitigation

Link(s) to security bulletin (PSRT or Vendor)

Servers

Non-HP OS

SUSE Linux Enterprise Server

Yes

Under Investigation

https://www.suse.com/security/cve/CVE-2016-5387

Servers

Non-HP OS

CentOS

Yes

Under Investigation


CentOS 5/6:https://lwn.net/Alerts/694834
CentOS 7:https://lwn.net/Alerts/694836

Servers

Non-HP OS

Debian

Yes

Under Investigation

https://security-tracker.debian.org/tracker/CVE-2016-5387

Servers

Platform Software

HP Insight Management Agents (Linux)

Yes

Under Investigation

 

Servers

Platform Software

HP SNMP Agents for Citrix XenServer

Yes

Under Investigation

 

Servers

Platform Software

HP System Management Homepage for Solaris 10 (x86[/x64]) Systems

Yes

Under Investigation

 

Servers

Platform Software

Management Component Pack CD for dpkg-based distributions

Yes

Under Investigation

 

Servers

Platform Software

Management Component Pack for Asianux 4 (i386 and x86_64)

Yes

Under Investigation

 

Servers

Platform Software

Management Component Pack for CentOS 5 (i386 and x86_64)

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Platform Software

Management Component Pack for CentOS 6 (i386 and x86_64)

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Platform Software

Management Component Pack for CentOS 7

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Platform Software

Management Component Pack for Oracle 5[.x] (i386 and x86_64)

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Platform Software

Management Component Pack for Oracle 6.x (x86_64)

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Platform Software

Management Component Pack for Oracle 7.x (x86_64)

Yes

Workaround: disable System Management Homepage (SMH). Fix under investigation.

 

Servers

Non-HP OS

Oracle Linux

Yes

Under Investigation


OL 5/6:http://linux.oracle.com/errata/ELSA-2016-1421.html
OL 7:http://linux.oracle.com/errata/ELSA-2016-1422.html

Servers

Platform Software

ProLiant Support Pack for Asianux 3 (i386 and x86_64)

Yes

Under Investigation

 

Servers

Platform Software

ProLiant Support Pack for Fedora 14 (i386 and x86_64)

Yes

Under Investigation

 

Servers

Platform Software

ProLiant Support Pack for openSUSE 11.3 (i386 and x86_64)

Yes

Under Investigation

 

Servers

Non-HP OS

Red Hat Enterprise Linux

Yes

Under Investigation


RHEL 5/6:https://rhn.redhat.com/errata/RHSA-2016-1421.html
RHEL 7:https://rhn.redhat.com/errata/RHSA-2016-1422.html

Servers

Platform Software

Support Bundle for Oracle Solaris 10 (x86/x64) on ProLiant

Yes

Under Investigation

 

Servers

Platform Software

Support Bundle for Oracle Solaris 10 1/13 (x86/x64) on ProLiant

Yes

Under Investigation

 

Servers

Non-HP OS

Ubuntu

Yes

Under Investigation

http://www.ubuntu.com/usn/usn-3038-1/

Storage

StoreEasy

StoreEasy

Yes

Under Investigation

 

Servers

Integrity

HP Integrity CB900s i2 & i4 Superdome 2 Server

Yes

Under Investigation

 

Servers

Integrity

HP Integrity Superdome X

Yes

Under Investigation

 

Servers

Platform Software

SD 2/SD X OA2

Yes

Under Investigation

 

Servers

Platform Software

HP OpenVMS

Yes

Under Investigation

 

CDI

Converged Systems

HP ConvergedSystem 900 for SAP HANA - Scale Out (IVB only)

Yes

Under Investigation

 

CDI

Converged Systems

HP ConvergedSystem 900 for SAP HANA - Scale Up

Yes

Under Investigation

 

Servers

HP-UX

HP-UX Apache

Yes

Under Investigation

 

Servers

HP-UX

HP-UX PHP

Yes

Under Investigation


 

Servers

HP-UX

HP-UX Tomcat

Yes

Under Investigation

 

Storage

StoreEver

MSL6480 Tape Library

Yes

Under Investigation

 

Storage

StoreEver

Archive Manager

Yes

Under Investigation

 

Storage

StoreEver

Archive Migrator

Yes

Under Investigation

 

CDI

Converged Systems

HP AppSystem for SAP HANA Scale Out 1.2

Yes

Under Investigation

 

CDI

Converged Systems

HP ConvergedSystem  500 for SAP HANA - Single-Node (Scale-up)

Yes

Under Investigation

 

CDI

Converged Systems

HP ConvergedSystem 500 for SAP HANA - Scale Out

Yes

Under Investigation

 

CDI

Converged Systems

HP AppSystems for SAP HANA Scale-up Gen 1.0

Yes

Under Investigation

 

CDI

Converged Systems

HP AppSystems for SAP HANA Scale-out Gen 1.0

Yes

Under Investigation

 

Storage

StoreAll

StoreAll

Yes

Under Investigation



https://www.apache.org/security/asf-httpoxy-response.txt
 
https://rhn.redhat.com/errata/RHSA-2016-1421.html​

CDI

Platform Software

System Management Homepage for Linux

Yes

Under Investigation

 

CDI

Platform Software

System Management Homepage for Windows

Yes

Under Investigation

 

CDI

Platform Software

Version Control Agent (Linux)

Yes

Under Investigation

 

CDI

Platform Software

Version Control Agent (Windows)

Yes

Under Investigation

 

CDI

Platform Software

Version Control Repository Manager

Yes

Under Investigation

 

Servers

Platform Software

C-Track

Under Investigation

 

 

Servers

Platform Software

Instant Support Personal Edition (ISPE) Mobile App

Under Investigation

 

 

Servers

Non-HP OS

Solaris

Under Investigation

 

 

Networking

H3C Network

Comware v5

Under Investigation

 

 

Networking

H3C Network

Comware v7

Under Investigation

 

 

Networking

H3C Network

Unified Wireless Solutions (Comware V5)

Under Investigation

 

 

Networking

H3C Network

vSwitch

Under Investigation

 

 

Networking

HPE Network

SDN Applications

Under Investigation

 

 

Networking

H3C Network

HP Small Biz Network (SBN) solutions

Under Investigation

 

 

Networking

HPE Network

OA Service O/S (Used in the Advanced Services v2 zl Module with HDD and Advanced Services v2 zl Module with SSD)

Under Investigation

 

 

Storage

3PAR

3PAR

Under Investigation

 

 

CDI

Converged Systems

HP ConvergedSystem 300 for Virtualization 1.0

Under Investigation

 

 

CDI

Converged Systems

HP ConvergedSystem 300 for Virtualization 1.1

Under Investigation

 

 

CDI

Converged Systems

HP Converged System 700 2.0 VMWare

Under Investigation

 

 

CDI

Converged Systems

HP ConvergedSystem 700X for Vmware (721223-B21)

Under Investigation

 

 

CDI

Converged Systems

HP ConvergedSystem 700X v1.1 Vmware Kit (J0H72A)

Under Investigation

 

 

CDI

Converged Systems

HPE Converged Architecture 700

Under Investigation

 

 

Servers

NonStop

iTP WebServer

Under Investigation

 

 

CDI

Converged Systems

HPE HC380 1.0

Under Investigation

 

 

CDI

Converged Systems

HC380 1.0 U1

Under Investigation


 

CDI

Converged Systems

HC380 1.1

Under Investigation

 

 

Servers

NonStop

OSS scripting languages

Under Investigation

 

 

CDI

Platform Software

HPE OneView for vRealize

Under Investigation

 

 

Servers

Platform Software

HP Insight Management Agents (Linux)

Under Investigation

 

 

Servers

Platform Software

HP OneView for Red Hat Enterprise Virtualization

Under Investigation

 

 

Servers

Platform Software

HP VMware WBEM Providers

No

 

 

Servers

Platform Software

HP VMware Utilities

No

 

 

Servers

Power

HP DF UPS MM, HP Direct Flow UPS Management Module

No

 

 

Servers

Platform Software

HP Intelligent Modular Power Distribution Unit/Kit

No

 

 

Servers

Platform Software

HP IP Console Switch, HP Server Console Switch

No

 

 

Servers

Platform Software

HP Managed PDU

No

 

 

Servers

Platform Software

HP Monitored PDU

No

 

 

Servers

Power

HP UPS Network Management Card

No

 

 

Servers

Power

HP UPS Power Protector Software

No

 

 

Servers

Apollo

Apollo 8000 System Manager

No

 

 

Servers

Platform Software

HP Modular Cooling System, HP MCS x00 Cooling Unit

No

 

 

Servers

HP-UX

HP-UX iCAP

No

 

 

Servers

HP-UX

HP-UX VirtProvider

No

 

 

Servers

HP-UX

HP-UX vmProvider

No

 

 

Servers

HP-UX

HP-UX VSMgr

No

 

 

Servers

Platform Software

HP Insight Remote Support (V5 Client)

No

 

 

Servers

Platform Software

HP Insight Remote Support (V7 Client)

No

 

 

Servers

Platform Software

HPRC Client

No

 

 

Servers

Platform Software

HPRC Upload Applet

No

 

 

Servers

Platform Software

Remote Device Access - Instant Customer Access Server (iCAS)

No

 

 

Servers

Platform Software

Remote Device Access - Virtual Customer Access System (vCAS)

No

 

 

Servers

Platform Software

Service Pack for ProLiant

No

 

 

Servers

Platform Software

Integrated Management Log Viewer for Windows

No

 

 

Servers

Platform Software

Management Controller Driver for Windows

No

 

 

Servers

Non-HP OS

Citrix XenServer

No

 

 

Servers

Platform Software

HP ProLiant Solaris 11 Support Bundle

No

 

 

Servers

Platform Software

HPAPM, HP Advanced Power Manager

No

 

 

Servers

Platform Software

SLAPM, HP ProLiant SL Advanced Power Manager

No

 

 

Servers

Platform Software

HP iLO Mobile Application

No

 

 

Servers

Platform Software

HP BladeSystem c-Class Virtual Connect Support Utility

No

 

 

Servers

Platform Software

HP Insight Management VCEM Web Client SDK

No

 

 

Servers

Platform Software

Virtual Connect

No

 

 

Servers

Platform Software

Virtual Connect Enterprise Manager

No

 

 

Servers

Platform Software

HP Integrated Lights Out (iLO)

No

 

 

Servers

Platform Software

HP SUM

No

 

 

Networking

HPE Network

MSM Wireless

No

 

 

Networking

HPE Network

PVOS Legacy

No

 

 

Networking

HPE Network

ProVision Switches

No

 

 

Networking

H3C Network

Intelligent Management Center (IMC)

No

 

 

Networking

H3C Network

SecBlade SSL VPN (Comware v3)

No

 

 

Networking

HPE Network

Smal Medium Business Solutions

No

 

 

Networking

H3C Network

VoIP (VCX)

No

 

 

Networking

HPE Network

SDN Controller

No

 

 

Networking

HPE Network

Threat Management Services (TMS) zl Security Module

No

 

 

Networking

Aruba Network

Aurba Airwave

No

 

 

Networking

Aruba Network

Aruba OS

No

 

 

Networking

Aruba Network

Aruba ClearPass

No

 

 

CDI

Converged Systems

HP ConvergedSystem 300 for Microsoft Analytics Platform

No

 

 

Servers

Platform Software

HP Intelligent Provisioning

No

 

 

CDI

Converged Systems

HP ConvergedSystem 300 for Microsoft 1.1

No

 

 

CDI

Converged Systems

HP Converged System 700 2.0 Foundation

No

 

 

CDI

Converged Systems

HP ConvergedSystem 700X (727178-B21)

No

 

 

CDI

Converged Systems

HP ConvergedSystem 700X for Microsoft (727177-B21)

No

 

 

CDI

Converged Systems

HP ConvergedSystem 700X v1.1 Foundation Kit (J0H71A)

No

 

 

CDI

Converged Systems

HP ConvergedSystem 700X v1.1 Microsoft Kit (J0H73A)

No

 

 

Servers

Integrity

HP Integrity cx2600, cx2620, BL60P, rx1600, rx1620, rx4640, rx5670,  rx2600,  rx2620, zx2000,  zx8000

No

 

 

Servers

Integrity

HP Integrity rx8640 Server; HP 9000 rp8420 Server; HP Integrity rx7640 Server; HP 9000 rp7420 Server

No

 

 

Servers

Integrity

Integrity BL860c & BL870c

No

 

 

Servers

Integrity

Integrity BL8x0C i2 & i4

No

 

 

Servers

Integrity

Integrity rx2800 i2 &  i4

No

 

 

Servers

Integrity

Integrity rx6600, rx3600, rx2660

No

 

 

Servers

DL Platform

Proliant DL785

No

 

 

Servers

DL Platform

Proliant DL980 G7 Server

No

 

 

Servers

Integrity

SD 9000 Superdome OA

No

 

 

Servers

Platform Software

HP SUM ISO

No

 

 

Storage

LTO Tape Drives

LTO Tape Drives

No

 

 

Software

Security Products

SecureData (Voltage)

No

 

 

Software

Security Products

SecureMail (Voltage)

No

 

 

Software

Security Products

SecureMail Client (Voltage)

No

 

 

Servers

Platform Software

HP Insight Management Agents

No

 

 

Servers

Non-HP OS

HP SSL for OpenVMS

No

 

 

Servers

HP-UX

HP-UX KERNEL-PROVIDERS

No

 

 

Servers

HP-UX

HP-UX LVM Providers

No

 

 

Servers

HP-UX

HP-UX NParProvider

No

 

 

Servers

HP-UX

HP-UX NPartition

No

 

 

Servers

HP-UX

HP-UX olosProvider

No

 

 

Servers

HP-UX

HP-UX PartitionManager

No

 

 

Servers

HP-UX

HP-UX ProviderSvcsCore

No

 

 

Servers

HP-UX

HP-UX RAIDSA-PROVIDER

No

 

 

Servers

HP-UX

HP-UX SAS-PROVIDER

No

 

 

Servers

HP-UX

HP-UX SCSI-Provider

No

 

 

Servers

HP-UX

HP-UX SFM-CORE

No

 

 

Servers

HP-UX

HP-UX VParProvider

No

 

 

Servers

HP-UX

HP-UX WBEMP-FCP

No

 

 

Servers

HP-UX

HP-UX WBEMP-FS

No

 

 

Servers

HP-UX

HP-UX WBEMP-IOTreeIP

No

 

 

Servers

HP-UX

HP-UX WBEMP-LAN

No

 

 

Servers

HP-UX

HP-UX WBEMP-Storage

No

 

 

Servers

HP-UX

HP-UX WBEMServices

No

 

 

Servers

Platform Software

System Management Homepage for HPUX

No

 

 

Software

Security Products

Enterprise Secure Key Manager (ESKM) - versions 4.x

No

 

 

Software

Security Products

Enterprise Secure Key Manager (ESKM) - versions 5.x

No

 

 

Servers

HP-UX

HP-UX Perl

No

 

 

CDI

Converged Systems

HP OneView

No

 

 

CDI

Platform Software

HP Systems Insight Manager (SIM)

No

 

 

CDI

Platform Software

Insight Control performance pack (PMP)