Important Information about HTTPoxy Vulnerability (CVE-2016-5387)

2016-07-18 12:00:00

Severity
Moderate
Status
Resolved

Description

On July 18th, a vulnerability named “HTTPoxy” was announced. This vulnerability is affecting server-side web applications running CGI.

After the initial investigation, Synology has concluded that DSM itself is not affected by this vulnerability as the parameters HTTP_PROXY and HTTP_PROXY_* are not used.

Severity

Medium.

Mitigation

Even though DSM itself is free from this vulnerability, some open source modules such as PHP and Python might be affected. In order to avoid potential MITM attacks, it is highly recommended you always use HTTPS for the connections established between the clients and DSM.

Update Availability

Synology will update the affected packages once the patches are released by their open source teams.

References

https://httpoxy.org/