cPanel Perl Encode.pm CVE-2021-36770
Background Information
On August 9th, 2021, Perl announced a vulnerability in the Encode.pm Perl module version 3.05.
Impact
According to Perl development:
Porters,
I have attached a fix for a bug in Encode, registered as CVE-2021-36770. This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require".
The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3 It was shipped with Perl v5.32 and v5.34.
A simple proof of concept:
dinah:~/tmp$ perl -MEncode -e0
dinah:~/tmp$ perl -E 'say scalar @INC'
4
dinah:~/tmp$ mkdir -p 4/Encode
dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm
dinah:~/tmp$ perl -MEncode -e0
Something evil here!!
A new release of Encode should be available from the CPAN today and will be swiftly integrated into perl5.git. I expect this fix will shortly be available from major distributors of Perl. In the meantime, I have applied a patch to the repository.
This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
--
rjbs
Releases
Versions greater than or equal to the versions listed below include the updated Encode.pm perl module.
11.94 - 11.94.0.15
11.96 - 11.96.0.15
11.98 - 11.98.0.4
How to determine if your server is up-to-date
For versions 94 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes.
You can check for the changelog entry in versions 94 and 96 with the following command:
For version 98 you need the following command (note the lowercase ‘encode’)
The output for any version should resemble below:
- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
What to do if you are not up-to-date
If your server is not running one of the above versions, update immediately.
To upgrade your server, navigate to WHM's Upgrade to Latest Version interface ( Home >> cPanel >> Upgrade to Latest Version ) and click Click to Upgrade.
To upgrade cPanel from the command line, run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list
For versions 94 and greater, verify the updated Perl RPM was installed:
rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"
The output should resemble below:
- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
Additional Information
Credit: This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770
For the signed PGP Version of this message: Unscheduled-TSR-8_10_21-CVE-2021-36770.signed
Background Information
On August 9th, 2021, Perl announced a vulnerability in the Encode.pm Perl module version 3.05.
Impact
According to Perl development:
Porters,
I have attached a fix for a bug in Encode, registered as CVE-2021-36770. This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require".
The vulnerability was introduced in Encode v3.05, here: dankogai/p5-encode@9c5f5a3 It was shipped with Perl v5.32 and v5.34.
A simple proof of concept:
dinah:~/tmp$ perl -MEncode -e0
dinah:~/tmp$ perl -E 'say scalar @INC'
4
dinah:~/tmp$ mkdir -p 4/Encode
dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm
dinah:~/tmp$ perl -MEncode -e0
Something evil here!!
A new release of Encode should be available from the CPAN today and will be swiftly integrated into perl5.git. I expect this fix will shortly be available from major distributors of Perl. In the meantime, I have applied a patch to the repository.
This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
--
rjbs
Releases
Versions greater than or equal to the versions listed below include the updated Encode.pm perl module.
11.94 - 11.94.0.15
11.96 - 11.96.0.15
11.98 - 11.98.0.4
How to determine if your server is up-to-date
For versions 94 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes.
You can check for the changelog entry in versions 94 and 96 with the following command:
Code:
rpm -q --changelog cpanel-perl-532-Encode | grep "Encode 3.12"
Code:
rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
What to do if you are not up-to-date
If your server is not running one of the above versions, update immediately.
To upgrade your server, navigate to WHM's Upgrade to Latest Version interface ( Home >> cPanel >> Upgrade to Latest Version ) and click Click to Upgrade.
To upgrade cPanel from the command line, run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list
For versions 94 and greater, verify the updated Perl RPM was installed:
rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"
The output should resemble below:
- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
Additional Information
Credit: This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770
For the signed PGP Version of this message: Unscheduled-TSR-8_10_21-CVE-2021-36770.signed
Last edited by a moderator:
