[Announcement] CVE-2016-5387 Update

Dear Elastic Beanstalk customers,
\

We have reviewed all AWS services for impact by CVE-2016-5387. With the exception of certain configurations of Elastic Beanstalk, we have been able to verify that AWS services are unaffected. Customers should inspect their Elastic Beanstalk environments as described below to ensure they're appropriately protected. For customers using Managed Updates, Elastic Beanstalk will automatically update your environment to the latest platform version in the maintenance window you select.
If you're using the PHP platform or have modified the default proxy configuration provided by Elastic Beanstalk to enable CGI on another platform, please follow the platform-specific steps listed below.

Thanks,\

Elastic Beanstalk team

Note: Some of the steps listed below require the use of ebextensions. For more details on ebextensions, see Advanced Environment Customization with Configuration Files.

PHP

CGI applications running on PHP platforms in Elastic Beanstalk may be impacted. Elastic Beanstalk has released an updated version of the PHP platform (v2.1.4) which mitigates the impact of the CVE. If you have Managed Updates enabled for your environment, it will be automatically upgraded to the latest platform version in your maintenance window. You can also migrate immediately, by going to the Managed Update configuration page and clicking on the "Apply now" button.

Docker

By default, Docker environments in Elastic Beanstalk are not impacted. Your Docker application may be impacted if it is running as CGI application. In that case, you can use the ebextension below to patch the Nginx proxy server to unset "Proxy" header always.

 # This ebextension will configure nginx to clear the "Proxy" header
# from all incoming requests. Include this file in your ".ebextensions"
# folder.
commands:
disable-proxy-header:
command: grep -q 'proxy_set_header\sProxy\s' /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf || sed -i '/proxy_set_header\s*X-Forwarded-For/a\ proxy_set_header Proxy "";' /etc/nginx/sites-enabled/elasticbeanstalk-nginx-docker-proxy.conf

Node.js

By default, Node.js environments in Elastic Beanstalk are not impacted. Your application may be impacted if using "cgi" (as require "cgi") or is configured to run as a CGI application using cgi-node. If you are impacted, please refer below for mitigation steps.
\

If using Apache as the proxy:

 # This ebextension will configure Apache httpd to clear the "Proxy" header
# from all incoming requests. Include this file in your ".ebextensions"
# folder.
files:
/etc/httpd/conf.d/header_fix.conf
mode: "000644"
owner: root
group: root
content: |
# Not allow proxy header
RequestHeader unset Proxy

If using Nginx as proxy (or have Nginx setup using fcgi):

 # This ebextension will configure nginx to clear the "Proxy" header
# from all incoming requests. Include this file in your ".ebextensions"
# folder.
container_commands:
disable-proxy-header:
command: grep -q 'proxy_set_header\sProxy\s' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf || sed -i '/proxy_set_header\s*X-Forwarded-For/a\ proxy_set_header Proxy "";' /tmp/deployment/config/#etc#nginx#conf.d#00_elastic_beanstalk_proxy.conf

If you are using "none" as the proxy, there is no remediation other than to use a proxy (modified as shown in the preceding examples) or to change your application to stop using CGI.

Go

By default, the Go platform in Elastic Beanstalk is not impacted. Your application may be impacted if it is using CGI framework (using fcgi under Nginx or using "net/http/cgi") within the Go platform. If impacted, please disable the header "proxy" by including a custom Nginx configuration along with your source code. You can find more information about customizing Nginx configuration for Go platforms here.

 # include this line in your server (or location) section
# along with all other proxy_set_header directives.
# please include in /etc/nginx/nginx.conf or /etc/nginx/conf.d/*.conf
proxy_set_header proxy "";