On August 9th 2021, Perl announced a vulnerability in the Encode.pm perl module version 3.05.
According to Perl development:
This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one “require”.
The vulnerability was introduced in Encode v3.05
Versions greater than or equal to the versions listed below include the updated Encode.pm perl module.
11.94 – 11.94.0.15
11.96 – 11.96.0.15
11.98 – 11.98.0.4
For versions 94 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes.
You can check for the changelog entry in versions 94 and 96 with the following command:
rpm -q --changelog cpanel-perl-532-Encode | grep "Encode 3.12"
For version 98 you need the following command (note the lowercase ‘encode’)
rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"
The output for any version should resemble below:
- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
If your server is not running one of the above versions, update immediately.
To upgrade your server, navigate to WHM’s Upgrade to Latest Version interface ( Home >> cPanel >> Upgrade to Latest Version ) and click Click to Upgrade.
To upgrade cPanel from the command line, run the following commands:
/scripts/upcp
/scripts/check_cpanel_rpms --fix --long-list
For versions 94 and 96, verify the updated Perl RPM was installed:
rpm -q --changelog cpanel-perl-532-Encode | grep "Encode 3.12"
For version 98 you need the following command (note the lowercase ‘encode’)
rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12"
The output for any version should resemble below:
- Update patches: Encode 3.12
- Update from upstream: Encode 3.12
Credit: This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise.
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770