Hewlett Packard Enterprise Product Security Vulnerability Alerts
HTTP_PROXY Environment Variable Handling Vulnerability ("Multiple CVEs")
Version 3.0 : Last Updated: January 5th, 2017
This website is updated frequently, as new product information becomes available.
On July 18th, 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information.
A number of CVEs have been assigned, covering specific languages and CGI implementations:
- CVE-2016-5385 (PHP)
- CVE-2016-5386 (Go)
- CVE-2016-5387 (Apache HTTP Server)
- CVE-2016-5388 (Apache Tomcat)
- CVE-2016-1000109 (HHVM)
- CVE-2016-1000110 (Python).
- CVE-2016-1000104 (mod_fcgi)
- CVE-2016-1000105 (Nginx CGI script)
- CVE-2016-1000107 (Erlang HTTP Server)
- CVE-2016-1000108 (YAWS)
- CVE-2016-1000111 (Python twisted)
Additional information about the vulnerability is available on the NIST website.
- Resources
- HPE Vulnerability Homepage
- NIST Website
Usage Instructions and Definitions for CVE Vulnerability Information |
|
Data |
Definition |
Product Family |
High-level product description. |
Product Name |
Detailed product description. |
CVE-XXXX |
Indicates whether the specific product is affected by the cited vulnerability. |
(Impacted Y/N) |
|
Impacted |
Indicates whether the specific product is directly affected by the cited vulnerability or is indirectly affected due to a dependence on a separate, embedded or associated product. |
Direct/Indirect |
|
If Impacted |
Information regarding how to address a vulnerability. |
Mitigation Info |
|
Notes |
Miscellaneous information regarding the vulnerability. |
Link to Security Bulletin |
Link to HPE's Security Bulletin |
Use the following table to find vulnerability information.
Product Sub- Category |
Product Name |
HTTPoxy (impacted Y/N) |
If Impacted - Mitigation |
Link(s) to security bulletin (PSRT or Vendor) |
|
Servers |
Non-HP
OS |
SUSE
Linux Enterprise Server |
Yes |
Under
Investigation |
https://www.suse.com/security/cve/CVE-2016-5387 |
Servers |
Non-HP OS |
CentOS |
Yes |
Under Investigation |
|
Servers |
Non-HP
OS |
Debian |
Yes |
Under
Investigation |
https://security-tracker.debian.org/tracker/CVE-2016-5387 |
Servers |
Platform Software |
HP Insight Management Agents (Linux) |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
HP
SNMP Agents for Citrix XenServer |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
HP System Management Homepage for
Solaris 10 (x86[/x64]) Systems |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
Management
Component Pack CD for dpkg-based distributions |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
Management Component Pack for Asianux
4 (i386 and x86_64) |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
Management
Component Pack for CentOS 5 (i386 and x86_64) |
Yes |
Workaround:
disable System Management Homepage (SMH). Fix under investigation. |
|
Servers |
Platform Software |
Management Component Pack for CentOS
6 (i386 and x86_64) |
Yes |
Workaround: disable System Management
Homepage (SMH). Fix under investigation. |
|
Servers |
Platform
Software |
Management
Component Pack for CentOS 7 |
Yes |
Workaround:
disable System Management Homepage (SMH). Fix under investigation. |
|
Servers |
Platform Software |
Management Component Pack for Oracle
5[.x] (i386 and x86_64) |
Yes |
Workaround: disable System Management
Homepage (SMH). Fix under investigation. |
|
Servers |
Platform
Software |
Management
Component Pack for Oracle 6.x (x86_64) |
Yes |
Workaround:
disable System Management Homepage (SMH). Fix under investigation. |
|
Servers |
Platform Software |
Management Component Pack for Oracle
7.x (x86_64) |
Yes |
Workaround: disable System Management
Homepage (SMH). Fix under investigation. |
|
Servers |
Non-HP
OS |
Oracle
Linux |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
ProLiant Support Pack for Asianux 3
(i386 and x86_64) |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
ProLiant
Support Pack for Fedora 14 (i386 and x86_64) |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
ProLiant Support Pack for openSUSE
11.3 (i386 and x86_64) |
Yes |
Under Investigation |
|
Servers |
Non-HP
OS |
Red
Hat Enterprise Linux |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
Support Bundle for Oracle Solaris 10
(x86/x64) on ProLiant |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
Support
Bundle for Oracle Solaris 10 1/13 (x86/x64) on ProLiant |
Yes |
Under
Investigation |
|
Servers |
Non-HP OS |
Ubuntu |
Yes |
Under Investigation |
http://www.ubuntu.com/usn/usn-3038-1/ |
Storage |
StoreEasy |
StoreEasy |
Yes |
Under
Investigation |
|
Servers |
Integrity |
HP Integrity CB900s i2 & i4
Superdome 2 Server |
Yes |
Under Investigation |
|
Servers |
Integrity |
HP
Integrity Superdome X |
Yes |
Under
Investigation |
|
Servers |
Platform Software |
SD 2/SD X OA2 |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
HP
OpenVMS |
Yes |
Under
Investigation |
|
CDI |
Converged Systems |
HP ConvergedSystem 900 for SAP HANA -
Scale Out (IVB only) |
Yes |
Under Investigation |
|
CDI |
Converged
Systems |
HP
ConvergedSystem 900 for SAP HANA - Scale Up |
Yes |
Under
Investigation |
|
Servers |
HP-UX |
HP-UX Apache |
Yes |
Under Investigation |
|
Servers |
HP-UX |
HP-UX
PHP |
Yes |
Under
Investigation |
|
Servers |
HP-UX |
HP-UX Tomcat |
Yes |
Under Investigation |
|
Storage |
StoreEver |
MSL6480
Tape Library |
Yes |
Under
Investigation |
|
Storage |
StoreEver |
Archive Manager |
Yes |
Under Investigation |
|
Storage |
StoreEver |
Archive
Migrator |
Yes |
Under
Investigation |
|
CDI |
Converged Systems |
HP AppSystem for SAP HANA Scale Out
1.2 |
Yes |
Under Investigation |
|
CDI |
Converged
Systems |
HP
ConvergedSystem 500 for SAP HANA -
Single-Node (Scale-up) |
Yes |
Under
Investigation |
|
CDI |
Converged Systems |
HP ConvergedSystem 500 for SAP HANA -
Scale Out |
Yes |
Under Investigation |
|
CDI |
Converged
Systems |
HP
AppSystems for SAP HANA Scale-up Gen 1.0 |
Yes |
Under
Investigation |
|
CDI |
Converged Systems |
HP AppSystems for SAP HANA Scale-out
Gen 1.0 |
Yes |
Under Investigation |
|
Storage |
StoreAll |
StoreAll |
Yes |
Under
Investigation |
|
CDI |
Platform Software |
System Management Homepage for Linux |
Yes |
Under Investigation |
|
CDI |
Platform
Software |
System
Management Homepage for Windows |
Yes |
Under
Investigation |
|
CDI |
Platform Software |
Version Control Agent (Linux) |
Yes |
Under Investigation |
|
CDI |
Platform
Software |
Version
Control Agent (Windows) |
Yes |
Under
Investigation |
|
CDI |
Platform Software |
Version Control Repository Manager |
Yes |
Under Investigation |
|
Servers |
Platform
Software |
C-Track |
Under
Investigation |
|
|
Servers |
Platform Software |
Instant Support Personal Edition (ISPE)
Mobile App |
Under Investigation |
|
|
Servers |
Non-HP
OS |
Solaris |
Under
Investigation |
|
|
Networking |
H3C Network |
Comware v5 |
Under Investigation |
|
|
Networking |
H3C
Network |
Comware
v7 |
Under
Investigation |
|
|
Networking |
H3C Network |
Unified Wireless Solutions (Comware
V5) |
Under Investigation |
|
|
Networking |
H3C
Network |
vSwitch |
Under
Investigation |
|
|
Networking |
HPE Network |
SDN Applications |
Under Investigation |
|
|
Networking |
H3C
Network |
HP
Small Biz Network (SBN) solutions |
Under
Investigation |
|
|
Networking |
HPE Network |
OA Service O/S (Used in the Advanced
Services v2 zl Module with HDD and Advanced Services v2 zl Module with SSD) |
Under Investigation |
|
|
Storage |
3PAR |
3PAR |
Under
Investigation |
|
|
CDI |
Converged Systems |
HP ConvergedSystem 300 for
Virtualization 1.0 |
Under Investigation |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 300 for Virtualization 1.1 |
Under
Investigation |
|
|
CDI |
Converged Systems |
HP Converged System 700 2.0 VMWare |
Under Investigation |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 700X for Vmware (721223-B21) |
Under
Investigation |
|
|
CDI |
Converged Systems |
HP ConvergedSystem 700X v1.1 Vmware
Kit (J0H72A) |
Under Investigation |
|
|
CDI |
Converged
Systems |
HPE
Converged Architecture 700 |
Under
Investigation |
|
|
Servers |
NonStop |
iTP WebServer |
Under Investigation |
|
|
CDI |
Converged
Systems |
HPE
HC380 1.0 |
Under
Investigation |
|
|
CDI |
Converged Systems |
HC380 1.0 U1 |
Under Investigation |
|
|
CDI |
Converged
Systems |
HC380
1.1 |
Under
Investigation |
|
|
Servers |
NonStop |
OSS scripting languages |
Under Investigation |
|
|
CDI |
Platform
Software |
HPE
OneView for vRealize |
Under
Investigation |
|
|
Servers |
Platform Software |
HP Insight Management Agents (Linux) |
Under Investigation |
|
|
Servers |
Platform
Software |
HP
OneView for Red Hat Enterprise Virtualization |
Under
Investigation |
|
|
Servers |
Platform Software |
HP VMware WBEM Providers |
No |
|
|
Servers |
Platform
Software |
HP
VMware Utilities |
No |
|
|
Servers |
Power |
HP DF UPS MM, HP Direct Flow UPS
Management Module |
No |
|
|
Servers |
Platform
Software |
HP
Intelligent Modular Power Distribution Unit/Kit |
No |
|
|
Servers |
Platform Software |
HP IP Console Switch, HP Server
Console Switch |
No |
|
|
Servers |
Platform
Software |
HP
Managed PDU |
No |
|
|
Servers |
Platform Software |
HP Monitored PDU |
No |
|
|
Servers |
Power |
HP
UPS Network Management Card |
No |
|
|
Servers |
Power |
HP UPS Power Protector Software |
No |
|
|
Servers |
Apollo |
Apollo
8000 System Manager |
No |
|
|
Servers |
Platform Software |
HP Modular Cooling System, HP MCS x00
Cooling Unit |
No |
|
|
Servers |
HP-UX |
HP-UX
iCAP |
No |
|
|
Servers |
HP-UX |
HP-UX VirtProvider |
No |
|
|
Servers |
HP-UX |
HP-UX
vmProvider |
No |
|
|
Servers |
HP-UX |
HP-UX VSMgr |
No |
|
|
Servers |
Platform
Software |
HP
Insight Remote Support (V5 Client) |
No |
|
|
Servers |
Platform Software |
HP Insight Remote Support (V7 Client) |
No |
|
|
Servers |
Platform
Software |
HPRC
Client |
No |
|
|
Servers |
Platform Software |
HPRC Upload Applet |
No |
|
|
Servers |
Platform
Software |
Remote
Device Access - Instant Customer Access Server (iCAS) |
No |
|
|
Servers |
Platform Software |
Remote Device Access - Virtual
Customer Access System (vCAS) |
No |
|
|
Servers |
Platform
Software |
Service
Pack for ProLiant |
No |
|
|
Servers |
Platform Software |
Integrated Management Log Viewer for
Windows |
No |
|
|
Servers |
Platform
Software |
Management
Controller Driver for Windows |
No |
|
|
Servers |
Non-HP OS |
Citrix XenServer |
No |
|
|
Servers |
Platform
Software |
HP
ProLiant Solaris 11 Support Bundle |
No |
|
|
Servers |
Platform Software |
HPAPM, HP Advanced Power Manager |
No |
|
|
Servers |
Platform
Software |
SLAPM,
HP ProLiant SL Advanced Power Manager |
No |
|
|
Servers |
Platform Software |
HP iLO Mobile Application |
No |
|
|
Servers |
Platform
Software |
HP
BladeSystem c-Class Virtual Connect Support Utility |
No |
|
|
Servers |
Platform Software |
HP Insight Management VCEM Web Client
SDK |
No |
|
|
Servers |
Platform
Software |
Virtual
Connect |
No |
|
|
Servers |
Platform Software |
Virtual Connect Enterprise Manager |
No |
|
|
Servers |
Platform
Software |
HP
Integrated Lights Out (iLO) |
No |
|
|
Servers |
Platform Software |
HP SUM |
No |
|
|
Networking |
HPE
Network |
MSM
Wireless |
No |
|
|
Networking |
HPE Network |
PVOS Legacy |
No |
|
|
Networking |
HPE
Network |
ProVision
Switches |
No |
|
|
Networking |
H3C Network |
Intelligent Management Center (IMC) |
No |
|
|
Networking |
H3C
Network |
SecBlade
SSL VPN (Comware v3) |
No |
|
|
Networking |
HPE Network |
Smal Medium Business Solutions |
No |
|
|
Networking |
H3C
Network |
VoIP
(VCX) |
No |
|
|
Networking |
HPE Network |
SDN Controller |
No |
|
|
Networking |
HPE
Network |
Threat
Management Services (TMS) zl Security Module |
No |
|
|
Networking |
Aruba Network |
Aurba Airwave |
No |
|
|
Networking |
Aruba
Network |
Aruba
OS |
No |
|
|
Networking |
Aruba Network |
Aruba ClearPass |
No |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 300 for Microsoft Analytics Platform |
No |
|
|
Servers |
Platform Software |
HP Intelligent Provisioning |
No |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 300 for Microsoft 1.1 |
No |
|
|
CDI |
Converged Systems |
HP Converged System 700 2.0
Foundation |
No |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 700X (727178-B21) |
No |
|
|
CDI |
Converged Systems |
HP ConvergedSystem 700X for Microsoft
(727177-B21) |
No |
|
|
CDI |
Converged
Systems |
HP
ConvergedSystem 700X v1.1 Foundation Kit (J0H71A) |
No |
|
|
CDI |
Converged Systems |
HP ConvergedSystem 700X v1.1
Microsoft Kit (J0H73A) |
No |
|
|
Servers |
Integrity |
HP
Integrity cx2600, cx2620, BL60P, rx1600, rx1620, rx4640, rx5670,
rx2600, rx2620, zx2000, zx8000 |
No |
|
|
Servers |
Integrity |
HP Integrity rx8640 Server; HP 9000
rp8420 Server; HP Integrity rx7640 Server; HP 9000 rp7420 Server |
No |
|
|
Servers |
Integrity |
Integrity
BL860c & BL870c |
No |
|
|
Servers |
Integrity |
Integrity BL8x0C i2 & i4 |
No |
|
|
Servers |
Integrity |
Integrity
rx2800 i2 &Â i4 |
No |
|
|
Servers |
Integrity |
Integrity rx6600, rx3600, rx2660 |
No |
|
|
Servers |
DL
Platform |
Proliant
DL785 |
No |
|
|
Servers |
DL Platform |
Proliant DL980 G7 Server |
No |
|
|
Servers |
Integrity |
SD
9000 Superdome OA |
No |
|
|
Servers |
Platform Software |
HP SUM ISO |
No |
|
|
Storage |
LTO
Tape Drives |
LTO
Tape Drives |
No |
|
|
Software |
Security Products |
SecureData (Voltage) |
No |
|
|
Software |
Security
Products |
SecureMail
(Voltage) |
No |
|
|
Software |
Security Products |
SecureMail Client (Voltage) |
No |
|
|
Servers |
Platform
Software |
HP
Insight Management Agents |
No |
|
|
Servers |
Non-HP OS |
HP SSL for OpenVMS |
No |
|
|
Servers |
HP-UX |
HP-UX
KERNEL-PROVIDERS |
No |
|
|
Servers |
HP-UX |
HP-UX LVM Providers |
No |
|
|
Servers |
HP-UX |
HP-UX
NParProvider |
No |
|
|
Servers |
HP-UX |
HP-UX NPartition |
No |
|
|
Servers |
HP-UX |
HP-UX
olosProvider |
No |
|
|
Servers |
HP-UX |
HP-UX PartitionManager |
No |
|
|
Servers |
HP-UX |
HP-UX
ProviderSvcsCore |
No |
|
|
Servers |
HP-UX |
HP-UX RAIDSA-PROVIDER |
No |
|
|
Servers |
HP-UX |
HP-UX
SAS-PROVIDER |
No |
|
|
Servers |
HP-UX |
HP-UX SCSI-Provider |
No |
|
|
Servers |
HP-UX |
HP-UX
SFM-CORE |
No |
|
|
Servers |
HP-UX |
HP-UX VParProvider |
No |
|
|
Servers |
HP-UX |
HP-UX
WBEMP-FCP |
No |
|
|
Servers |
HP-UX |
HP-UX WBEMP-FS |
No |
|
|
Servers |
HP-UX |
HP-UX
WBEMP-IOTreeIP |
No |
|
|
Servers |
HP-UX |
HP-UX WBEMP-LAN |
No |
|
|
Servers |
HP-UX |
HP-UX
WBEMP-Storage |
No |
|
|
Servers |
HP-UX |
HP-UX WBEMServices |
No |
|
|
Servers |
Platform
Software |
System
Management Homepage for HPUX |
No |
|
|
Software |
Security Products |
Enterprise Secure Key Manager (ESKM)
- versions 4.x |
No |
|
|
Software |
Security
Products |
Enterprise
Secure Key Manager (ESKM) - versions 5.x |
No |
|
|
Servers |
HP-UX |
HP-UX Perl |
No |
|
|
CDI |
Converged
Systems |
HP
OneView |
No |
|
|
CDI |
Platform Software |
HP Systems Insight Manager (SIM) |
No |
|
|
CDI |
Platform
Software |
Insight
Control performance pack (PMP) |
No |
|
|
CDI |
Platform Software |
Insight Control server deployment |
No |
|
|
CDI |
Platform
Software |
Insight
Control server migration (SMP, V2V/P2P etc.)) |
No |
|
|
CDI |
Platform Software |
Insight Control server provisioning |
No |
|
|
CDI |
Platform
Software |
Insight
Control Virt/ Virt Machine Mgt (VMM) |
No |
|
|
CDI |
Platform Software |
Insight Orchestration |
No |
|
|
CDI |
Platform
Software |
IS-Installer |
No |
|
|
CDI |
Platform Software |
Matrix Recovery Management |
No |
|
|
CDI |
Platform
Software |
MOE
Capacity Advisor |
No |
|
|
CDI |
Platform Software |
MOE- global Workforce Load Manager ;
gWLM |
No |
|
|
CDI |
Platform
Software |
SPM
(Storage) (SSI Plug-in) |
No |
|
|
CDI |
Platform Software |
WMI Mapper* |
No |
|
|
CDI |
Platform
Software |
Oneview
for Virtual Center(OV4VC) |
No |
|
|
CDI |
Converged Systems |
Oneview for System center(OV4SC) |
No |
|
|
CDI |
Platform
Software |
OpsA |
No |
|
|
CDI |
Platform Software |
vPV |
No |
|
|
CDI |
Platform
Software |
vROPS |
No |
|
|
CDI |
Platform Software |
LSM Adaptor |
No |
|
|
CDI |
Platform
Software |
AD,
iCAP Mgr, WLM, Vman, VseAssist, MSSW, IS Advisor, IS Installer, MXSYNC, SD
Plug-in |
No |
|
|
CDI |
Platform Software |
HP Insight Power Management(IPM) |
No |
|
|
Servers |
HP-UX |
HP-UX
Firefox |
No |
|
|
Servers |
HP-UX |
HP-UX FTP Client |
No |
|
|
Servers |
HP-UX |
HP-UX
FTP Server (WU-FTPD) |
No |
|
|
Servers |
HP-UX |
HP-UX Sendmail |
No |
|
|
Servers |
HP-UX |
HP-UX
Thunderbird |
No |
|
|
Servers |
NonStop |
NSJSP |
No |
|
|
CDI |
Platform
Software |
OO |
No |
|
|
CDI |
Platform Software |
Onboard Administrator(OA) |
No |
|
|
Storage |
XP
Storage |
HP
XP7 Storage System Service Processor |
No |
|
|
Storage |
XP Storage |
HP XP P9500 Disk Array Service
Processor |
No |
|
|
Storage |
XP
Storage |
HP
XP24000/XP20000 Disk Array Service Processor |
No |
|
|
Storage |
XP Software |
HPE Command View Advanced Edition
software v8.x |
No |
|
|
Servers |
Platform
Software |
HP
SUT WIn/Lin |
No |
|
|
Servers |
Platform Foftware |
HP SUT ESXi |
No |
|
|
Servers |
Platform
Software |
SPP
Custom Download |
No |
|
|
Software |
Security Products |
ArcSight ArcMC |
No |
|
|
Software |
Security
Products |
ArcSight
Logger |
No |
|
|
Software |
Security Products |
ArcSight ESM |
No |
|
|
Software |
Security
Products |
ArcSight
Connectors |
No |
|
|
Software |
Security Products |
Atalla Payments HSM |
No |
|
|
CDI |
Converged
Systems |
HPE
Converged System 700 2.0 Hyper-V |
No |
|
|
CDI |
Platform Software |
System Insight Manager (SIM) |
No |
|
|
Servers |
MX990X |
MX990X |
No |
|
|
Networking |
Aruba Network |
Central |
No |
|
|
Storage |
StoreEver |
ESL
G3 Tape Library |
No |
|
|
Storage |
StoreEver |
MSL G3 Tape Libraries |
No |
|
|
Storage |
StoreEver |
MSL
G2 1/8 Autoloader |
No |
|
|
Storage |
StoreEver |
Command View TL |
No |
|
|
Storage |
StoreEver |
Library
and Tape Tools |
No |
|
|
Storage |
StoreOpen |
Automation and Standalone |
No |
|
|
CDI |
Converged
Systems |
HPE
Hyper Converged 250 for Microsoft CPS |
No |
|
|
Servers |
HP-UX |
Serviceguard Portfolio |
No |
|
|
Servers |
Linux |
Serviceguard
Portfolio |
No |
|
|
Storage |
StoreEver |
LTO-7 Ultrium 15000 Tape Drive |
No |
|
|
Storage |
StoreEver |
LTO-6
Ultrium 6260/6650 Tape Drive |
No |
|
|
Storage |
StoreEver |
LTO-5 Ultrium 3000/3280 Tape Drive |
No |
|
|
Storage |
StoreEver |
LTO-4
Ultrium 1760 Tape Drive |
No |
|
|
Storage |
StoreEver |
LTO-3 Ultrium 920 Tape Drive |
No |
|
|
CDI |
Platform
Software |
Insight
Control for Linux |
No |
|
|