Executive Summary
Summary | |
---|---|
Title | perl security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:1424 | First vendor Publication | 2011-11-03 |
Vendor | RedHat | Last vendor Modification | 2011-11-03 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated perl packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: Perl is a high-level programming language commonly used for system administration utilities and web programming. A heap-based buffer overflow flaw was found in the way Perl decoded Unicode strings. An attacker could create a malicious Unicode string that, when decoded by a Perl program, would cause the program to crash or, potentially, execute arbitrary code with the permissions of the user running the program. (CVE-2011-2939) It was found that the "new" constructor of the Digest module used its argument as part of the string expression passed to the eval() function. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl program that uses untrusted input as an argument to the constructor. (CVE-2011-3597) All Perl users should upgrade to these updated packages, which contain backported patches to correct these issues. All running Perl programs must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 731246 - CVE-2011-2939 Perl decode_xs heap-based buffer overflow 743010 - CVE-2011-3597 Perl Digest improper control of generation of code |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-1424.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
50 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:19446 | |||
Oval ID: | oval:org.mitre.oval:def:19446 | ||
Title: | Perl Digest Module Code Injection Vulnerability | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-3597 | Version: | 5 |
Platform(s): | IBM AIX 5.3 IBM AIX 6.1 IBM AIX 7.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20560 | |||
Oval ID: | oval:org.mitre.oval:def:20560 | ||
Title: | VMware vSphere and vCOps updates to third party libraries | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2011-3597 | Version: | 4 |
Platform(s): | VMWare ESX Server 4.1 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21725 | |||
Oval ID: | oval:org.mitre.oval:def:21725 | ||
Title: | RHSA-2011:1797: perl security update (Moderate) | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:1797-01 CESA-2011:1797 CVE-2010-2761 CVE-2010-4410 CVE-2011-3597 | Version: | 42 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | perl |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:23231 | |||
Oval ID: | oval:org.mitre.oval:def:23231 | ||
Title: | ELSA-2011:1797: perl security update (Moderate) | ||
Description: | Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:1797-01 CVE-2010-2761 CVE-2010-4410 CVE-2011-3597 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | perl |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-12-04 | Name : Ubuntu Update for perl USN-1643-1 File : nvt/gb_ubuntu_USN_1643_1.nasl |
2012-08-31 | Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries. File : nvt/gb_VMSA-2012-0013.nasl |
2012-07-30 | Name : CentOS Update for perl CESA-2011:1797 centos4 x86_64 File : nvt/gb_CESA-2011_1797_perl_centos4_x86_64.nasl |
2012-07-30 | Name : CentOS Update for perl CESA-2011:1797 centos5 x86_64 File : nvt/gb_CESA-2011_1797_perl_centos5_x86_64.nasl |
2012-07-09 | Name : RedHat Update for perl RHSA-2011:1424-01 File : nvt/gb_RHSA-2011_1424-01_perl.nasl |
2012-01-20 | Name : Mandriva Update for perl MDVSA-2012:008 (perl) File : nvt/gb_mandriva_MDVSA_2012_008.nasl |
2012-01-20 | Name : Mandriva Update for perl MDVSA-2012:009 (perl) File : nvt/gb_mandriva_MDVSA_2012_009.nasl |
2012-01-17 | Name : Strawberry Perl Modules Multiple Vulnerabilities (Windows) File : nvt/gb_perl_modules_mult_vuln_win.nasl |
2011-12-12 | Name : CentOS Update for perl CESA-2011:1797 centos4 i386 File : nvt/gb_CESA-2011_1797_perl_centos4_i386.nasl |
2011-12-12 | Name : CentOS Update for perl CESA-2011:1797 centos5 i386 File : nvt/gb_CESA-2011_1797_perl_centos5_i386.nasl |
2011-12-09 | Name : RedHat Update for perl RHSA-2011:1797-01 File : nvt/gb_RHSA-2011_1797-01_perl.nasl |
2011-11-03 | Name : Fedora Update for perl FEDORA-2011-13874 File : nvt/gb_fedora_2011_13874_perl_fc14.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
76724 | Perl Encode decode_xs() Function Input Parsing Remote Overflow |
75990 | Digest Module for Perl Digest->new() Function eval() Call Remote Perl Code... |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2012-09-27 | IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0 Severity : Category I - VMSKEY : V0033884 |
2012-09-13 | IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1 Severity : Category I - VMSKEY : V0033794 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-02-29 | Name : The remote VMware ESX / ESXi host is missing a security-related patch. File : vmware_VMSA-2012-0013_remote.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_perl-58_20131017_2.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_perl-58_20131015.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_perl-111122.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_4_icedtea-web-111114.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_perl-111122.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_icedtea-web-111114.nasl - Type : ACT_GATHER_INFO |
2014-01-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-33.nasl - Type : ACT_GATHER_INFO |
2014-01-20 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201401-11.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2011-19.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-1424.nasl - Type : ACT_GATHER_INFO |
2013-01-30 | Name : The remote AIX host is missing a security patch. File : aix_IV10197.nasl - Type : ACT_GATHER_INFO |
2012-11-30 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-1643-1.nasl - Type : ACT_GATHER_INFO |
2012-08-31 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111103_perl_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20111208_perl_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-01-19 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2012-008.nasl - Type : ACT_GATHER_INFO |
2011-12-12 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2011-12-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-1797.nasl - Type : ACT_GATHER_INFO |
2011-11-04 | Name : The remote host is missing the patch for the advisory RHSA-2011-1424 File : redhat-RHSA-2011-1424.nasl - Type : ACT_GATHER_INFO |
2011-11-03 | Name : The remote Fedora host is missing a security update. File : fedora_2011-13874.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:55:16 |
|