Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Access Gateway Appliance and service
https://httpoxy.org/
CVE-2016-5387
CVE-2016-5388
NetIQ Access Manager 4.1
Access Manager Access Gateway Appliance and service
https://httpoxy.org/
CVE-2016-5387
CVE-2016-5388
Situation
The HTTPPOXY (https://httpoxy.org/) vulnerability was recently reported.
Is the Apache from Access Gateway vulnerable?
httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:
- RFC 3875 (CGI) puts the HTTP
Proxy
header from a request into the environment variables asHTTP_PROXY
HTTP_PROXY
is a popular environment variable used to configure an outgoing proxy
Is the Apache from Access Gateway vulnerable?
Resolution
The Access Gateway does not use this environment variable and is therefor not vulnerable.