Lucee (Tomcat actually) HTTPoxy Vulnerability

Just in case any of you are being scanned for PCI compliance you may want
this head’s up that it’s now checking for HTTPoxy unhandled PROXY header
vuln (https://httpoxy.org/)

I blocked PROXY headers in IIS (and cleaned up some old PHP references in
CGI settings) but I still was failing the scan.

Turns out older versions of Tomcat have the vulnerability (I was running
8.0.24) https://www.apache.org/security/asf-httpoxy-response.txt

Upgrade to 8.0.36 seems to have sorted the issue.

(FWIW the new PCI scan also checks for Sweet32 vulns in 64 bit chiphers
ie: DES-CBC3-SHA so you’ll have to deal with those too)