Drupal 8: Critical vulnerability in Guzzle library / httpoxy (PSA-2016-002)

Submitted by dryer on Mon, 07/18/2016 - 06:32
Drupal 8, PSA-2016-002

On Monday 18th July 2016 Drupal 8 will receive a critical patch to the system. Instead of Drupal itself, this issue is a part of a third party library that Drupal uses Normally the Drupal security team releases patches on Wednesdays, but in this case it has been moved to Monday. There will be no releases on the upcoming Wednesday, July 20th.

The issue at hand is the Guzzle library, which in turn stems from a much larger issue, now known as httpoxy which is a low level issue in how FastCGI and PHP-CGI work together:

Branded as "httpoxy" the vulnerability is at the HTTP layer level and can be exploited when using libraries that make outbound requests from the server where a request is made. Essentially an attacker could use this to send outbound traffic through their own proxy servers, which will essentially give them control over what is sent back to the server and possibly to the requesting client as well.
Httpoxy vulnerability hits PHP installs using FastCGI with PHP-FPM, HHVM

This means that regardless of which version of Drupal (or any PHP application) you run, you should take a closer look and make sure your application is not exploitable through the httpoxy vulnerability.