Is Access Manager susceptible to HTTPOXY vulnerability (CVE-2016-5387)

Document ID:7017856
Creation Date:19-Jul-2016
Modified Date:19-Jul-2016
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Access Gateway Appliance and service
https://httpoxy.org/
CVE-2016-5387
CVE-2016-5388

Situation

The HTTPPOXY (https://httpoxy.org/) vulnerability was recently reported.

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:

RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
HTTP_PROXY is a popular environment variable used to configure an outgoing proxy

This leads to a remotely exploitable vulnerability.

Is the Apache from Access Gateway vulnerable?

Resolution

The Access Gateway does not use this environment variable and is therefor not vulnerable.