Description Preview
Overview
The "httpoxy" vulnerability (CVE-2016-1000109) in HHVM is a serious security issue affecting CGI applications. The vulnerability stems from HHVM's improper handling of the Proxy HTTP header, which gets converted to the HTTP_PROXY environment variable. Many HTTP client libraries use the HTTP_PROXY environment variable to determine which proxy server to use for outbound connections. By sending a malicious Proxy header in an HTTP request, an attacker can control where the application's HTTP requests are sent, potentially intercepting sensitive data or performing man-in-the-middle attacks.
This vulnerability impacts multiple versions of HHVM:
- All versions prior to 3.9.6
- All versions from 3.10.0 through 3.12.4
- All versions from 3.13.0 through 3.14.2
Remediation
To address this vulnerability, system administrators and developers should:
-
Update HHVM to a patched version:
- Version 3.9.6 or later
- Version 3.12.5 or later
- Version 3.14.3 or later
-
If updating is not immediately possible, implement one of these mitigations:
- Configure your web server to strip or block the Proxy header from incoming requests
- For Apache, add:
RequestHeader unset Proxy early - For Nginx, add:
fastcgi_param HTTP_PROXY ""; - For other servers, consult the httpoxy.org website for specific instructions
-
Review your application code to ensure it doesn't rely on the HTTP_PROXY environment variable in an unsafe manner
-
Consider implementing additional network-level protections such as Web Application Firewalls configured to block requests containing Proxy headers
References
- Official patch: https://github.com/facebook/hhvm/commit/423b4b719afd5ef4e6e19d8447fbf7b6bc0d0a25
- Comprehensive information about httpoxy: https://httpoxy.org/
- Facebook security advisory: https://www.facebook.com/security/advisories/cve-2016-1000109
- RFC 3875 section 4.1.18 (CGI specification): https://tools.ietf.org/html/rfc3875#section-4.1.18
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- Health Care & Social AssistanceHealth Care & Social Assistance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- ManufacturingManufacturing
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
