Issue

On 19 Jul, 2016, several posts of a CGI vulnerability were announced. You will find several examples here:

CERT: https://www.kb.cert.org/vuls/id/797896

nginx: https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/

Microsoft: https://support.microsoft.com/en-us/kb/3179800

SecLists: http://seclists.org/oss-sec/2016/q3/94

Vulnerability Overview

(Credit: Cert: https://www.kb.cert.org/vuls/id/797896)

Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal sub requests or to direct the server to initiate connections to arbitrary hosts.

[Updated 21 Jul, 2016 - Cb Defense has concluded their investigation and the Cb Defense product is also is not impacted]

Carbon Black has evaluated our products and services for this vulnerability. Cb Response, Cb Protection, Cb Defense, and the Cb Collective Defense Cloud are not impacted by this vulnerability. None of the HTTP services in our products use CGI or CGI -like contexts. Instead we use more modern and high performance contexts such as WSGI, FastCGI, or Java Servlets.