Mitigating the HTTPoxy Vulnerability with AMIMOTO AMI

A vulnerability named ‘HTTPoxy’ was announced. It affects some server‑side web applications which run in CGI or CGI‑like environments. Languages known to be affected so far include PHP.


Abstraction of HTTPoxy

The security flaws affect applications which are running in CGI or similar environments and have been caused by a simple namespace conflict. In CGI, RFC 3875 puts the HTTP Proxy header from a request into environmental variables including HTTP_PROXY — which can be used to configure outgoing proxies.

This, in turn, causes a security weakness which can be exploited by remote attackers to execute code remotely. All it takes is outgoing HTTP requests to be proxied, directed to a malicious server and then for the web application to be forced to use a malicious proxy.

via 15-year-old httpoxy flaw causes developer patch scramble

The flaws affect older Guzzle library than version 6.2.1 which is used in AWS SDK for PHP. On Guzzle library version 6.2.1, the flaws are fixed.

There are some possibilities of existing applications which the flaw affects, kindly check your PHP application which getenv('HTTP_PROXY') are used or not. Check the following useful reference:

If you do not like to fix PHP apps, you should modify Nginx configuration to not to send HTTP_PROXY to CGI.

How to mitigate HTTPoxy flaw:
Mitigating the HTTPoxy Vulnerability with NGINX

For self-hosting customers:

On our latest AMIMOTO AMIs, we have fixed the issues above, so the flaw does not affect the new instance.

For Managed hosting customers:

On our managed hosting, we’re currently working on this issue, so you don’t have to mitigate.

Here are the information on Nginx, PHP, HHVM, MySQL versions included in our latest AMIMOTO AMI:

  • Nginx 1.11.1
  • PHP 5.6.23 or 7.0.8
  • HHVM 3.12.5 ( in case you launched HHVM version AMIMOTO AMI)
  • MySQL 5.6.31

How to update your current AMIMOTO AMI to the latest

We recommend to create snapshot before update AMI
How to Create a Snapshot and Restore from it

To fix vulnerability, you should update AMIMOTO AMI to the latest version. The following steps are for updating AMIMOTO AMI Amazon Linux version.

If you’re using our first AMIMOTO AMI based on CentOS, we recommend you to create a new instance with the latest AMIMOTO AMI and migrate data from your current instance to the new instance since we have not maintained the AMIMOTO AMI CentOS version.

Update steps:

Check your AMIMOTO AMI version

Access your instance through SSH and run the following command without $ the first letter of the line.

$ git -C /opt/local/chef-repo/cookbooks/amimoto/ branch
* 2016.01

Displayed numbers and letters are the AMIMOTO AMI versions.

In case of version 2016.01

If you get * before the version number of 2016.01, you can update to the latest of AMIMOTO AMI with the following command:

$ curl -L -s | sudo bash

after that, restart instance with following reboot command:

$ sudo reboot

In case of version earlier than 2016.01, or you got an error

Run the following command and update AMIMTO AMI to the latest version.
This command will remove and replace installed PHP, MySQL or other packages. If you are worried about running the following command, we recommend launching a new instance with the latest AMIMOTO AMI and migrate the data.

$ curl -L -s | sudo bash

after that, restart instance with following reboot command:

$ sudo reboot

That’s all the steps for mitigating the HTTPoxy vulnerability with AMIMOTO AMI.