Important Information about HTTPoxy Vulnerability (CVE-2016-5387)
Publish Time: 2016-07-18 00:00:00 UTC+8
Last Updated: 2016-07-18 12:00:00 UTC+8
- Severity
- Moderate
- Status
- Resolved
Description
On July 18th, a vulnerability named “HTTPoxy” was announced. This vulnerability is affecting server-side web applications running CGI.
After the initial investigation, Synology has concluded that DSM itself is not affected by this vulnerability as the parameters HTTP_PROXY and HTTP_PROXY_* are not used.
Severity
Medium.
Mitigation
Even though DSM itself is free from this vulnerability, some open source modules such as PHP and Python might be affected. In order to avoid potential MITM attacks, it is highly recommended you always use HTTPS for the connections established between the clients and DSM.
Update Availability
Synology will update the affected packages once the patches are released by their open source teams.