As the BSI reports, a vulnerability has been found in Perl. You can read here on news.de which operating systems and products are affected by the vulnerability.
The Federal Office for Security in der Informationstechnik (BSI) published an update on May 31, 2023 to a vulnerability for Perl that became known on June 8, 2020. The operating systems UNIX, Linux, MacOS X and Windows as well as the products IBM Security Guardium, Open Source CentOS, Amazon Linux 2, Juniper JUNOS, Red Hat Enterprise Linux, F5 BIG-IP, SUSE Linux, Oracle Linux and Gentoo are affected by the vulnerability Linux, Avaya Aura Communication Manager, Avaya Aura Session Manager, Avaya Aura Application Enablement Services, Avaya Aura System Manager, Avaya Aura Experience Portal, Avaya Web License Manager and Open Source Perl.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: IBM Security Bulletin 6999317 (Status: 05/30/2023). Other useful links are listed later in this article.
Perl Security Advisory – Risk: High
Risk level: 4 (high)
CVSS Base Score: 8,2
CVSS Temporal Score: 7,1
Remoteangriff: Ja
The Common Vulnerability Scoring System (CVSS) is used to assess the vulnerability of computer systems. The CVSS standard makes it possible to compare potential or actual security gaps based on various metrics in order to create a priority list based on this for initiating countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. The Temporal Score also takes into account changes over time with regard to the risk situation. The risk of the current vulnerability is classified as “high” according to the CVSS with a base score of 8.2.
Perl Bug: Multiple vulnerabilities allow execution of arbitrary code with service privileges
Perl is a free, platform-independent and interpreted programming language (scripting language).
A remote, anonymous attacker can exploit several vulnerabilities in Perl to execute arbitrary code with service privileges or to perform a denial of service attack.
The vulnerabilities were classified using the CVE designation system (Common Vulnerabilities and Exposures) by individual serial numbers CVE-2020-10543, CVE-2020-10878 und CVE-2020-12723.
Systems affected by the Perl vulnerability at a glance
operating systems
UNIX, Linux, MacOS X, Windows
Products
IBM Security Guardium 11.4 (cpe:/a:ibm:security_guardium)
Open Source CentOS (cpe:/o:centos:centos)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Juniper JUNOS (cpe:/o:juniper:junos)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
F5 BIG-IP (cpe:/a:f5:big-ip)
SUSE Linux (cpe:/o:suse:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
Gentoo Linux (cpe:/o:gentoo:linux)
Avaya Aura Communication Manager (cpe:/a:avaya:communication_manager)
Avaya Aura Session Manager (cpe:/a:avaya:session_manager)
Avaya Aura Application Enablement Services (cpe:/a:avaya:aura_application_enablement_services)
Avaya Aura System Manager (cpe:/a:avaya:aura_system_manager)
Avaya Aura Experience Portal (cpe:/a:avaya:aura_experience_portal)
Avaya Web License Manager (cpe:/a:avaya:web_license_manager)
Open Source Perl < 5.30.3 (cpe:/a:perl:perl)
IBM Security Guardium 11.5 (cpe:/a:ibm:security_guardium)
General measures for dealing with IT security gaps
- Users of the affected systems should keep them up to date. When security vulnerabilities become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If new security updates are available, install them promptly.
- For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
- If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.
Sources for updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
IBM Security Bulletin 6999317 vom 2023-05-30 (31.05.2023)
For more information, see: https://www.ibm.com/support/pages/node/6999317
F5 Security Advisory K40508224 vom 2022-02-04 (04.02.2022)
For more information, see: https://support.f5.com/csp/article/K40508224
AVAYA Security Advisory ASA-2021-063 vom 2021-08-25 (27.08.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101077246
Red Hat Security Advisory RHSA-2021:2792 vom 2021-07-21 (21.07.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2792
Juniper Security Advisory JSA11206 vom 2021-07-14 (15.07.2021)
For more information, see: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11206&cat=SIRT_1
Red Hat Security Advisory RHSA-2021:2461 vom 2021-06-16 (17.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2461
Red Hat Security Advisory RHSA-2021:2184 vom 2021-06-02 (02.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2184
Oracle Linux Security Advisory ELSA-2021-9238 vom 2021-05-20 (21.05.2021)
For more information, see: https://linux.oracle.com/errata/ELSA-2021-9238.html
Red Hat Security Advisory RHSA-2021:1678 vom 2021-05-18 (19.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1678
Red Hat Security Advisory RHSA-2021:1266 vom 2021-04-20 (21.04.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1266
Red Hat Security Advisory RHSA-2021:1032 vom 2021-03-30 (30.03.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1032
Red Hat Security Advisory RHSA-2021:0883 vom 2021-03-16 (17.03.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:0883
AVAYA Security Advisory ASA-2021-015 vom 2021-03-10 (12.03.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101074340
AVAYA Security Advisory ASA-2021-013 vom 2021-03-09 (11.03.2021)
For more information, see: https://downloads.avaya.com/css/P8/documents/101074333
Amazon Linux Security Advisory ALAS-2021-1610 vom 2021-02-20 (22.02.2021)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2021-1610.html
Oracle Linux Security Advisory ELSA-2021-0557 vom 2021-02-18 (18.02.2021)
For more information, see: https://linux.oracle.com/errata/ELSA-2021-0557.html
Red Hat Security Advisory RHSA-2021:0557 vom 2021-02-16 (17.02.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:0557
Oracle Linux Security Advisory ELSA-2021-0343 vom 2021-02-03 (04.02.2021)
For more information, see: http://linux.oracle.com/errata/ELSA-2021-0343.html
CentOS Security Advisory CESA-2021:0343 vom 2021-02-04 (04.02.2021)
For more information, see: http://centos-announce.2309468.n4.nabble.com/CentOS-announce-CESA-2021-0343-Moderate-CentOS-7-perl-Security-Update-tp4646128.html
Red Hat Security Advisory RHSA-2021:0343 vom 2021-02-02 (02.02.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:0343
SUSE Security Update SUSE-SU-2020:1682-2 vom 2020-07-07 (08.07.2020)
For more information, see: http://lists.suse.com/pipermail/sle-security-updates/2020-July/007092.html
SUSE Security Update SUSE-SU-2020:1682-1 vom 2020-06-19 (22.06.2020)
For more information, see: http://lists.suse.com/pipermail/sle-security-updates/2020-June/006983.html
SUSE Security Update SUSE-SU-2020:1662-1 vom 2020-06-18 (19.06.2020)
For more information, see: http://lists.suse.com/pipermail/sle-security-updates/2020-June/006972.html
GENTOO Security Advisory GLSA/202006-03 vom 2020-06-15 (15.06.2020)
For more information, see: https://www.cybersecurity-help.cz/vdb/SB2020061514
Gentoo Security Advisory GLSA 202006-03 vom 2020-06-11 (12.06.2020)
For more information, see: https://security.gentoo.org/glsa/202006-03
Report on Github from 2020-06-07 (08.06.2020)
For more information, see: https://github.com/Perl/perl5/blob/blead/pod/perl5303delta.pod
Version history of this security alert
This is the 25th version of this Perl IT Security Advisory. As further updates are announced, this text will be updated. You can read about changes or additions in this version history.
06/08/2020 – Initial version
06/12/2020 – New updates of Gentoo
06/15/2020 – Added new updates from GENTOO
06/19/2020 – Added new updates from SUSE
06/22/2020 – Added new updates from SUSE
07/08/2020 – Added new updates from SUSE
02/02/2021 – Added new updates from Red Hat
02/04/2021 – Added new updates of CentOS and Oracle Linux
02/17/2021 – Added new updates from Red Hat
02/18/2021 – Added new updates of Oracle Linux
02/22/2021 – Added new updates from Amazon
03/11/2021 – Added new updates from AVAYA
03/12/2021 – Added new updates from AVAYA
03/17/2021 – Added new updates from Red Hat
03/30/2021 – Added new updates from Red Hat
04/21/2021 – Added new updates from Red Hat
05/19/2021 – Added new updates from Red Hat
05/21/2021 – Added new updates of Oracle Linux
06/02/2021 – Added new updates from Red Hat
06/17/2021 – Added new updates from Red Hat
07/15/2021 – Added new updates from Juniper
07/21/2021 – Added new updates from Red Hat
08/27/2021 – Added new updates from AVAYA
02/04/2022 – Added new updates of F5
05/31/2023 – Added new updates from IBM
+++ Editorial note: This text was created with AI support based on current BSI data. We accept feedback and comments at [email protected]. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.
roj/news.de