Case 60970

Summary

Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization

Security Rating

cPanel has assigned a Security Level of “Important” to this vulnerability.

Description

The Perl YAML::Syck module provides support for serialization and deserialization of data structures using the YAML format. In cPanel & WHM this functionality is used for storing human readable configuration files and some interprocess communication. In some areas the use of YAML crosses privilege separation boundaries.

The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.

This vulnerability was discovered by the cPanel Quality Assurance Team.

Solution

This issue is resolved in the following builds:

* 11.34.0.10 and greater
* 11.32.5.14 and greater
* 11.30.7.3 and greater

Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.