-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Unscheduled TSR 8/10/21 cPanel Perl Encode.pm CVE-2021-36770 Background Information On August 9th 2021, Perl announced a vulnerability in the Encode.pm perl module version 3.05.Ê Impact According to Perl development: Porters, I have attached a fix for a bug in Encode, registered as CVE-2021-36770.Ê This bug replaces the contents of @INC with a predictable integer, which is treated as a directory relative to the current working directory, long enough to execute one "require". The vulnerability was introduced in Encode v3.05, here:Êdankogai/p5-encode@9c5f5a3Ê It was shipped with perl v5.32 and v5.34. A simple proof of concept: dinah:~/tmp$ perl -MEncode -e0 dinah:~/tmp$ perl -E 'say scalar @INC' 4 dinah:~/tmp$ mkdir -p 4/Encode dinah:~/tmp$ echo 'print "Something evil here!!\n"' > 4/Encode/ConfigLocal.pm dinah:~/tmp$ perl -MEncode -e0 Something evil here!! A new release of Encode should be available from the CPAN today, and will be swiftly integrated into perl5.git.Ê I expect this fix will shortly be available from major distributors of perl.Ê In the meantime, I have applied a patch to the repository. This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise. --Ê rjbs Releases Ê Versions greater than or equal to the versions listed below include the updated Encode.pm perl module. 11.94 - 11.94.0.15 11.96 - 11.96.0.15 11.98 - 11.98.0.4 How to determine if your server is up-to-date For versions 94 and greater, the previously updated RPMs provided by cPanel will contain a changelog entry noting the applied fixes. You can check for the changelog entry in versions 94 and greater with the following command: rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12" The output should resemble below: - Update patches: Encode 3.12 - Update from upstream: Encode 3.12 What to do if you are not up-to-date If your server is not running one of the above versions, update immediately. To upgrade your server, navigate to WHM'sÊ Upgrade to Latest Version ÊinterfaceÊ( Home >> cPanel >> Upgrade to Latest Version ) and click Click to Upgrade. To upgrade cPanel from the command line, run the following commands: /scripts/upcp /scripts/check_cpanel_rpms --fix --long-list Ê For versions 94 and greater, verify the updated Perl RPM was installed: rpm -q --changelog cpanel-perl-532-encode | grep "Encode 3.12" The output should resemble below: - Update patches: Encode 3.12 - Update from upstream: Encode 3.12 Ê Additional Information Credit: This bug was reported to perlsec on June 26 by Dom Hargreaves on behalf of Debian, passing on a report from Paul Wise. CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36770 -----BEGIN PGP SIGNATURE----- iQJIBAEBCgAyFiEEtnCbTMb0IHf2mEGRlSG+3KvZTd8FAmESoTYUHHNlY3VyaXR5 QGNwYW5lbC5uZXQACgkQlSG+3KvZTd+0dxAAiBceT4BdJNouUteooNYR+YRBqjZN tit5mTAY0oG1OmgPQmyezMMPSEjOVeb7QtyArgbmChbl+YJmCKj+3FE8igHfHyqv PMNmP6jGd4sn6ttiYpYv3WNpl9j7JVBVdSVnHW0lJueA0PpmGrM6qybYfAm3hNJO 4I/KAkM/VwCt/Vw7hVYsgdyCjcTPWCchmzROzgG6I2QI0y2jfo/WW3ZZ2fQ/70/t Qgtslo4bTKZz6yTNd8P3/DmTLobYduMOc6adMUrfn/BT8sUjfubwYGWXTI6IgFzj Q+nrJd0pu39AsDHjQTQDAY++5Q9xy3RlXXq6vvuUdInSTvBYkakYb12h7ko+u5VG ImftVXQ5GYleWyon52fnND0Onss5XvGx9fZPO3k1+j86Nih+ezFA1YIIQylBsKDS XlMDhSIbw2l6X5SmJvL0/vTCwJpg6GCWLnLHeyMgmq0mzAyjt5cbCDwlPIvTbdOA BkG4YwFRfptur3GMsmXAzUcAlIqb7tU/7Woug4xEdy3jrsxUuX+KpKtWHSw4tf7M t7iURUJQ32QwL+6TmXHwZkZUHZEGu1PqD4qVpBX19BqSS3qIngjU0Q1DGjSk0K1o +OFEU2jg2UvwtQBnPRE+OIIu3AzUuHu0bKQisWuZXk9C1vPcZZov1lNMQw3MNXw4 y45P0XoDZLyTXE4= =3FuE -----END PGP SIGNATURE-----