Today we are releasing urgent maintenance fixes for Bolt 2 & 3, in the form of 2.2.23 & 3.0.11.

These releases contain updated components to assist in mitigating a new security risk, known as "HTTPoxy".

Summary

HTTPoxy is a remotely exploitable CGI application vulnerability that affects PHP, Go, Python, and other programming languages used on the web.

Mitigating its effect should be taken very seriously, as there are known exploits doing the rounds.

Note: For the PHP specific vulnerability see CVE-2016-5385.

Immediate Mitigation & Recommended Action

There are two ways to mitigate this problem, either directly updating your web server configuration, or updating your Bolt install.

If you have the ability to change your web server's configuration, we highly recommend this approach as it is the simplest and preferred option. Performing the web server configuration changes will also mean that all installed applications and libraries — that would otherwise be affected by HTTPoxy — are covered by this approach.

See the information on the HTTPoxy site for details on updated parameters for Apache & Nginx web servers.

Note: Composer based installations of Bolt can be updated by simply running php composer.phar update in the root of your site.

Affected Libraries

The following libraries used in Bolt are known to be vulnerable:

  • Guzzle
    • 5.0.0 to 5.3.0
    • 6.0.0 to 6.2.0
  • Composer
    • All versions prior to 1.2.0

Note: Composer, when used on the command line is not vulnerable, and only becomes a threat relevant to Bolt installs though the use of its API on the extensions page.

Affected Bolt Versions

The HTTPoxy vulnerability isn't specific to Bolt itself, rather the libraries that Bolt uses.

However the following versions of Bolt should be considered in need of attention, and updated:

  • 2.0.0 to 2.2.22 (mitigated in 2.2.23)
  • 3.0.0 to 3.0.10 (mitigated in 3.0.11)

Note: Bolt 1.x versions are (currently) not known to contain any vulnerable libraries.

Diagnosing Your Installation

To diagnose the issue, temporarily install the following as test.php in the root of your site:

    <?php

    echo "SERVER[HTTP_PROXY]=".$_SERVER['HTTP_PROXY'] . "\n";

Then call the PHP script with a "Proxy:" request header:

    curl -H 'Proxy: AFFECTED' http://my-server-name/test.php

If you see the following output, your server is unaffected:

    HTTP_PROXY="

If instead you see the following, or any other output, your server may be affected and you should apply one of the mitigation options suggested above:

    HTTP_PROXY='AFFECTED'

Information supplied by Red Hat

Library Patches

Note: This section is intended for people with a technical background, who need to make changes directly on a server and understand the content.

These are the relevant patches applied to libraries, per version:

comments powered by Disqus