Executive Summary
Summary | |
---|---|
Title | perl security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:1797 | First vendor Publication | 2011-12-08 |
Vendor | RedHat | Last vendor Modification | 2011-12-08 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated perl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Description: Perl is a high-level programming language commonly used for system administration utilities and web programming. It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor. (CVE-2011-3597) It was found that the Perl CGI module used a hard-coded value for the MIME boundary string in multipart/x-mixed-replace content. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. (CVE-2010-2761) A CRLF injection flaw was found in the way the Perl CGI module processed a sequence of non-whitespace preceded by newline characters in the header. A remote attacker could use this flaw to conduct an HTTP response splitting attack via a specially-crafted sequence of characters provided to the CGI module. (CVE-2010-4410) All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 658976 - perl-CGI, perl-CGI-Simple: CVE-2010-2761 - hardcoded MIME boundary value for multipart content, CVE-2010-4410 - CRLF injection allowing HTTP response splitting 743010 - CVE-2011-3597 Perl Digest improper control of generation of code |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-1797.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
33 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19446 | |||
Oval ID: | oval:org.mitre.oval:def:19446 | ||
Title: | Perl Digest Module Code Injection Vulnerability | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-3597 | Version: | 5 |
Platform(s): | IBM AIX 5.3 IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:19764 | |||
Oval ID: | oval:org.mitre.oval:def:19764 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-4410 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20547 | |||
Oval ID: | oval:org.mitre.oval:def:20547 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2010-2761 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20560 | |||
Oval ID: | oval:org.mitre.oval:def:20560 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-3597 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21725 | |||
Oval ID: | oval:org.mitre.oval:def:21725 | ||
Title: | RHSA-2011:1797: perl security update (Moderate) | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:1797-01 CESA-2011:1797 CVE-2010-2761 CVE-2010-4410 CVE-2011-3597 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | perl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23231 | |||
Oval ID: | oval:org.mitre.oval:def:23231 | ||
Title: | ELSA-2011:1797: perl security update (Moderate) | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1797-01 CVE-2010-2761 CVE-2010-4410 CVE-2011-3597 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | perl |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-04 | Name : Ubuntu Update for perl USN-1643-1 File : nvt/gb_ubuntu_USN_1643_1.nasl |
2012-08-31 | Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries. File : nvt/gb_VMSA-2012-0013.nasl |
2012-07-30 | Name : CentOS Update for perl CESA-2011:1797 centos4 x86_64 File : nvt/gb_CESA-2011_1797_perl_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for perl CESA-2011:1797 centos5 x86_64 File : nvt/gb_CESA-2011_1797_perl_centos5_x86_64.nasl |
2012-07-09 | Name : RedHat Update for perl RHSA-2011:0558-01 File : nvt/gb_RHSA-2011_0558-01_perl.nasl |
2012-07-09 | Name : RedHat Update for perl RHSA-2011:1424-01 File : nvt/gb_RHSA-2011_1424-01_perl.nasl |
2012-02-12 | Name : Gentoo Security Advisory GLSA 201110-03 (bugzilla) File : nvt/glsa_201110_03.nasl |
2012-01-20 | Name : Mandriva Update for perl MDVSA-2012:009 (perl) File : nvt/gb_mandriva_MDVSA_2012_009.nasl |
2012-01-20 | Name : Mandriva Update for perl MDVSA-2012:008 (perl) File : nvt/gb_mandriva_MDVSA_2012_008.nasl |
2012-01-17 | Name : Strawberry Perl Modules Multiple Vulnerabilities (Windows) File : nvt/gb_perl_modules_mult_vuln_win.nasl |
2011-12-12 | Name : CentOS Update for perl CESA-2011:1797 centos4 i386 File : nvt/gb_CESA-2011_1797_perl_centos4_i386.nasl |
2011-12-12 | Name : CentOS Update for perl CESA-2011:1797 centos5 i386 File : nvt/gb_CESA-2011_1797_perl_centos5_i386.nasl |
2011-12-09 | Name : RedHat Update for perl RHSA-2011:1797-01 File : nvt/gb_RHSA-2011_1797-01_perl.nasl |
2011-11-03 | Name : Fedora Update for perl FEDORA-2011-13874 File : nvt/gb_fedora_2011_13874_perl_fc14.nasl |
2011-05-10 | Name : Ubuntu Update for perl USN-1129-1 File : nvt/gb_ubuntu_USN_1129_1.nasl |
2011-03-05 | Name : FreeBSD Ports: bugzilla File : nvt/freebsd_bugzilla12.nasl |
2011-02-04 | Name : Fedora Update for perl-CGI FEDORA-2011-0654 File : nvt/gb_fedora_2011_0654_perl-CGI_fc13.nasl |
2011-02-04 | Name : Fedora Update for bugzilla FEDORA-2011-0741 File : nvt/gb_fedora_2011_0741_bugzilla_fc14.nasl |
2011-02-04 | Name : Fedora Update for perl-CGI FEDORA-2011-0640 File : nvt/gb_fedora_2011_0640_perl-CGI_fc14.nasl |
2011-01-31 | Name : Fedora Update for perl-CGI-Simple FEDORA-2011-0653 File : nvt/gb_fedora_2011_0653_perl-CGI-Simple_fc14.nasl |
2011-01-31 | Name : Fedora Update for perl-CGI-Simple FEDORA-2011-0631 File : nvt/gb_fedora_2011_0631_perl-CGI-Simple_fc13.nasl |
2011-01-21 | Name : Mandriva Update for perl-CGI MDVSA-2011:008 (perl-CGI) File : nvt/gb_mandriva_MDVSA_2011_008.nasl |
2010-12-28 | Name : Mandriva Update for perl-CGI-Simple MDVSA-2010:252 (perl-CGI-Simple) File : nvt/gb_mandriva_MDVSA_2010_252.nasl |
2010-12-23 | Name : Mandriva Update for perl-CGI-Simple MDVSA-2010:250 (perl-CGI-Simple) File : nvt/gb_mandriva_MDVSA_2010_250.nasl |
2010-12-02 | Name : Perl CGI.pm Header Values Newline Handling Unspecified Security Vulnerability File : nvt/gb_perl_CGI_45145.nasl |
2010-11-23 | Name : Mandriva Update for perl-CGI MDVSA-2010:237 (perl-CGI) File : nvt/gb_mandriva_MDVSA_2010_237.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
75990 | Digest Module for Perl Digest->new() Function eval() Call Remote Perl Code... |
69589 | CGI.pm header() Function Newline Character Handling HTTP Header Injection CGI.pm contains a flaw related to the 'header()' function's handling of newline characters. This may allow a remote attacker to inject arbitrary HTTP headers in a response to the user. |
69588 | CGI.pm multipart_init() Function multipart/x-mixed-replace MIME Type HTTP Hea... CGI.pm contains a flaw related to the 'multipart_init()' function when handing a message with 'multipart/x-mixed-replace' MIME type. This may allow a remote attacker to inject arbitrary HTTP headers in a response to the user. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-09-27 | IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0 Severity : Category I - VMSKEY : V0033884 |
2012-09-13 | IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0033794 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0013_remote.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_perl-58_20131017_2.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_perl-CGI-Simple-110127.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_perl-CGI-Simple-110107.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_perl-110112.nasl - Type : ACT_GATHER_INFO |
2014-01-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-33.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2011-19.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1424.nasl - Type : ACT_GATHER_INFO |
2013-01-30 | Name : The remote AIX host is missing a security patch. File : aix_IV10197.nasl - Type : ACT_GATHER_INFO |
2012-11-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1643-1.nasl - Type : ACT_GATHER_INFO |
2012-08-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111103_perl_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111208_perl_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110519_perl_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-01-19 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-008.nasl - Type : ACT_GATHER_INFO |
2011-12-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2011-12-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2011-11-04 | Name : The remote host is missing the patch for the advisory RHSA-2011-1424 File : redhat-RHSA-2011-1424.nasl - Type : ACT_GATHER_INFO |
2011-11-03 | Name : The remote Fedora host is missing a security update. File : fedora_2011-13874.nasl - Type : ACT_GATHER_INFO |
2011-10-11 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201110-03.nasl - Type : ACT_GATHER_INFO |
2011-06-13 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1129-1.nasl - Type : ACT_GATHER_INFO |
2011-05-20 | Name : The remote host is missing the patch for the advisory RHSA-2011-0558 File : redhat-RHSA-2011-0558.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_perl-110112.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_perl-CGI-Simple-110107.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_perl-CGI-Simple-110127.nasl - Type : ACT_GATHER_INFO |
2011-02-03 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0755.nasl - Type : ACT_GATHER_INFO |
2011-02-03 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0741.nasl - Type : ACT_GATHER_INFO |
2011-02-01 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0654.nasl - Type : ACT_GATHER_INFO |
2011-02-01 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0640.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0653.nasl - Type : ACT_GATHER_INFO |
2011-01-31 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0631.nasl - Type : ACT_GATHER_INFO |
2011-01-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-008.nasl - Type : ACT_GATHER_INFO |
2011-01-26 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_c8c927e5289111e08f2600151735203a.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_perl-110112.nasl - Type : ACT_GATHER_INFO |
2011-01-21 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_perl-7316.nasl - Type : ACT_GATHER_INFO |
2010-11-16 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-237.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:55:24 |
|