-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2016-1238 Perl Background Information On July 25 2016, Perl announced a vulnerability in all versions of the Perl 5 software. Impact According to Perl development: The problem relates to Perl 5 ("perl") loading modules from the includes directory array ("@INC") in which the last element is the current directory ("."). That means that, when "perl" wants to load a module (during first compilation or during lazy loading of a module in run-time), perl will look for the module in the current directory at the end, since '.' is the last include directory in its array of include directories to seek. The issue is with requiring libraries that are in "." but are not otherwise installed. Under some conditions, e.g. changing the current directory to a location writable by other users, this vulnerability can lead to arbitrary code execution. Releases cPanel & WHM version 56 and greater are already protected. Versions previous to 56 received updates to mitigate this issue as of TSR-2016-0002 for cPanel-provided scripts. Versions greater than the versions listed below are protected: 11.50 - 11.50.5.0 11.52 - 11.52.4.0 11.54 - 11.54.0.18 More information about the protections already in place can be found at the link below: https://documentation.cpanel.net/display/ALD/56+Release+Notes#id-56ReleaseNotes-Removed%27.%27from@INC Additional updates have been published to protect upstream-provided Perl 5 scripts shipped in the cPanel-provided Perl distribution for versions previous to 56. Versions greater than the versions listed below include the additional protections for upstream-provided scripts: 11.52 - 11.52.6.4 11.54 - 11.54.0.27 How to determine if your server is up-to-date For versions 56 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes. You can check for the changelog entry in versions 56 and greater with the following command: rpm -q --changelog cpanel-perl-522 | grep "Remove . from @INC" The output should resemble below: - Remove . from @INC unless the environment variable PERL_USE_UNSAFE_INC=1 is set. For versions 54 and 52, the updated RPMs provided by cPanel will contain a changelog entry with the CVE number. You can check for the changelog entry in versions 54 and 52 with the following command: rpm -q --changelog cpanel-perl-514 | grep CVE-2016-1238 The output should resemble below: - Fix for CVE-2016-1238 What to do if you are not up-to-date If your server is not running one of the above versions, update immediately. To upgrade your server, navigate to Home > cPanel > Upgrade to Latest Version and clicking "Click to Upgrade" (https://documentation.cpanel.net/display/ALD/Upgrade+to+Latest+Version) To upgrade cPanel from the command line, run the following commands: /scripts/upcp /scripts/check_cpanel_rpms --fix --long-list For versions 56 and greater, verify the updated Perl RPM was installed: rpm -q --changelog cpanel-perl-522 | grep "Remove . from @INC" The output should resemble below: - Remove . from @INC unless the environment variable PERL_USE_UNSAFE_INC=1 is set. For versions 54 and 52, verify the updated Perl RPM was installed: rpm -q --changelog cpanel-perl-514 | grep CVE-2016-1238 The output should resemble below: - Fix for CVE-2016-1238 Additional Information Credit: This issue was discovered and reported by J.D. Lightsey and Todd Rinaldo, courtesy of the cPanel Security Team. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238 -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJXlpHWAAoJEJUhvtyr2U3fQ88QAJAn8HWranZsftiMRhRyWtLl prTuuwSJXJ0fQZssqBw7rRzcqVWI5EA72EsalCWw3RWRluNDYsGuxAAi9QnqbG6u 4DEDFqeYz+xiOLErhFxyPpv5PJ1jKWYluaufXLM6XqV/7DwWOmvs1TpKUzIfFiiM w/Skt9yDG4MI+8jPCepZJv7mcx76lUo5PybSi5pymf7JPfStgNJ4tkFS/h/WZYYU ho00LTVXxt4NDvcOUJNAuHo4ypvqz1Y0z8Wtkdt72QzqOq0DNC6At0F4UnLpEOY/ WfHi3hryT6qxZdt0sXc2jExLzxEJU8KMcxDwnYy044iMagLwuP6V9oPCcI4Ug+1v 98uTzpjNjnsiguMvNAnbetSBYih8m7drIaju8zK602aE9J/EcdDPHflZ+Xquaz3N MTw627TGhXoZQIhAmo0W3zpkwAo6y/gyzwrj7JfaaWxeqtnTYRqnFZjvIyVD7Nbq FUpjiQUzPKDSfZll9oOU94gWPmJzs7Rh2l9nt9r5BSgbwfs+ScLn1lby78xWLL1n /evCbh6KNIVMOZDpLSUYBn/iXffDN4kFbgYiqBpy8etA43Bw8WFzhTHy13VXhPLw tvKbvfn0mQr3eTS9rghuaIYkGVgSANHFKpgZX7LIsLtW2d88z3SAmKb3f74Et86g kSvUiudNtaURpXmn+dOS =ermW -----END PGP SIGNATURE-----