Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1178.2 Perl Digest Module "Digest->new()" Code Injection Vulnerability 29 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Perl Publisher: IBM Operating System: AIX Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2011-3597 Reference: ESB-2011.1102 Original Bulletin: http://aix.software.ibm.com/aix/efixes/security/perl_advisory2.asc Revision History: January 29 2013: Fixed vulnerable fileset levels, Added VIOS Levels under section V for Interim Fixes, Fixed availability dates November 24 2011: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Mon Nov 22 15:00:14 CST 2011 | Updated: Fri Jan 25 13:39:30 CST 2013 | Fixed vulnerable fileset levels | Added VIOS Levels under section V for Interim Fixes | Fixed availability dates The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/perl_advisory2.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Perl Digest Module "Digest->new()" Code Injection Vulnerability PLATFORMS: AIX 5.3, 6.1, 7.1 SOLUTION: Apply the fix as described below. THREAT: A remote attacker may run arbitrary code. CERT VU Number: n/a CVE Number: CVE-2011-3597 =============================================================================== DETAILED INFORMATION I. OVERVIEW Perl is a free software scripting language interpreter providing a rich set of features provided as part of the base AIX Operating System environment. II. DESCRIPTION The Digest module for Perl is prone to a vulnerability that will let attackers inject and execute arbitrary Perl code. Remote attackers can exploit this issue to run arbitrary code in the context of the affected application. Digest versions prior to 1.17 are affected. For more details please visit: http://www.securityfocus.com/bid/49911 https://secunia.com/advisories/46279 III. IMPACT The successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, run the following command: # lslpp -l perl.rte The following fileset levels are vulnerable: AIX Fileset AIX Level Lower Level Upper Level ---------------------------------------------------------------- | perl.rte 5.3.12 5.8.8.0 5.8.8.122 | perl.rte 6.1.5 5.8.8.0 5.8.8.122 | perl.rte 6.1.6 5.8.8.0 5.8.8.122 | perl.rte 6.1.7 5.8.8.0 5.8.8.122 | perl.rte 6.1.8 5.8.8.0 5.8.8.244 | perl.rte 7.1.0 5.10.1.0 5.10.1.50 | perl.rte 7.1.1 5.10.1.0 5.10.1.50 | perl.rte 7.1.2 5.10.1.0 5.10.1.150 NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability --------------------------------------------------- 6.1.8 IV10197 06/28/13 sp3 7.1.2 IV10197 08/09/13 sp3 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV10197 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. B. INTERIM FIXES Interim fixes are available. The interim fix can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/perl_ifix2.tar The link above is to a tar file containing this signed advisory, interim fix packages, and PGP signatures for each package. The interim fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level VIOS Level Fix ----------------------------------------------------------------- 5.3.12 IV10197610.111107.epkg.Z | 6.1.5 2.1.3 IV10197610.111107.epkg.Z | 6.1.6 2.2.0 IV10197610.111107.epkg.Z | 6.1.7 2.2.1 IV10197610.111107.epkg.Z | 6.1.8 IV10197610.111107.epkg.Z 7.1.0 IV10197710.111107.epkg.Z 7.1.1 IV10197710.111107.epkg.Z | 7.1.2 IV10197610.111107.epkg.Z IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. These interim fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functionality of the interim fix. Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 55198 9 IV10197610.111107.epkg.Z 15391 9 IV10197710.111107.epkg.Z cksum filename ------------------------------------------ 3148530716 8536 IV10197610.111107.epkg.Z 4016406856 8879 IV10197710.111107.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- 152ccb72817ecf0ee0cc7116e512fb40 IV10197610.111107.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ c0e33bdc5b9476cc9fdb1dc05812f6fd63655fd7 IV10197610.111107.epkg.Z df3a664147c404ae5ea07aab86655626e5a59383 IV10197710.111107.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the compressed tarball and on this advisory can also be used to verify the integrity of the various files they correspond to. If the sums or signatures cannot be confirmed, double check the command results and the download site address. If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. INTERIM FIX INSTALLATION These packages use the new Interim Fix Management Solution to install and manage interim fixes. More information can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an epkg interim fix installation execute the following command: # emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an epkg interim fix package, execute the following command: # emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. The "X" flag will expand any filesystems if required. VI. WORKAROUNDS None. VII. OBTAINING FIXES AIX Version 5 APARs can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix Security related Interim Fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFRAvoi4fmd+Ci/qhIRAs/RAJ4z/hlMNouJIJ4Cn+MhA72+GG3snACfZQlZ PRIG+PL+tVKj6Jh0txJJoxc= =tYWf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUQdcUO4yVqjM2NGpAQIuSw/9HHOrt8gbwqzOah9TcNFJWeoV5B1/3bIU 7XXwR1JGMzd3yK9Q4ZVWyJiYVvKhfOk5ifsQGpb7fC78OHe//jijDkBAgVXOMnan EgY+dQ4ILMc3/bORI9B6G9R9+82stTwVDFK+r/cZyIrYaEcvSTAbNORjmtg6O9KV uM8fZKqblj69tZEO5CqkBLh7RGMKWWPynp8uixmCeel9Qh0Os0OiNZ2uVtlIxw9B +uxmvumE4181GrCD3tZ4QgbyifhZf9WSpF9to676GmOekwvb+9WXKom1TJhu0wto vYHZ6gjNXZ+nvpVBJDDtZm7/zL8R0ygbpHc6+QP51FbJJ7BYY5b1zhCVYjry+ff0 t8vq6GvcrOqK2+Y2rGCWuDWlh8nSkMDFML89lcrtS2ZclXFiCRieB6/7PAU5P6JC Yc7TRGQwA/0bR2CrOJED6PkLpPtyu1TQlSmSpVBOyIlsG+chNJl/thttQJTYI8rA s9s7h0lRf4SFvt0eg7O9k6Ribc2e4YWD1BqWIa0EWW2ysF9aKs1HdvPsdxMQc/D+ L1jZgY8CLAbywnHiJnUydDBPExwyX6iIUEa7y4QceYROH0rLWXkFDAr9VTUw4B+m /z61Aqk5Fdrrbx38VmNIekwn7s/6oa1NOIet0w8aoDRzOy3NQFHbSe37U12ixYmp +B6G1PXWjB8= =BK9p -----END PGP SIGNATURE-----