Privilege escalation vulnerabilities due to the use of YAML::Syck for serialization
cPanel has assigned a Security Level of “Important” to this vulnerability.
The Perl YAML::Syck module provides support for serialization and deserialization of data structures using the YAML format. In cPanel & WHM this functionality is used for storing human readable configuration files and some interprocess communication. In some areas the use of YAML crosses privilege separation boundaries.
The version of YAML::Syck used in previous releases of cPanel & WHM allowed serialized data to be blessed into arbitrary packages as it was deserialized. This could be leveraged to perform unsafe actions in object destructors.
This vulnerability was discovered by the cPanel Quality Assurance Team.
This issue is resolved in the following builds:
* 22.214.171.124 and greater
* 126.96.36.199 and greater
* 188.8.131.52 and greater
Please update your cPanel & WHM system to one of the aforementioned versions or the latest public release available. A full listing of published versions can always be found at http://httpupdate.cpanel.net/.