-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Mon Nov 22 15:00:14 CST 2011 | Updated: Thu Feb 7 13:01:41 CST 2013 | Fixed vulnerable fileset levels | Added VIOS Levels under section V for Interim Fixes | Fixed availability dates The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/perl_advisory2.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: Perl Digest Module "Digest->new()" Code Injection Vulnerability PLATFORMS: AIX 5.3, 6.1, 7.1 SOLUTION: Apply the fix as described below. THREAT: A remote attacker may run arbitrary code. CERT VU Number: n/a CVE Number: CVE-2011-3597 =============================================================================== DETAILED INFORMATION I. OVERVIEW Perl is a free software scripting language interpreter providing a rich set of features provided as part of the base AIX Operating System environment. II. DESCRIPTION The Digest module for Perl is prone to a vulnerability that will let attackers inject and execute arbitrary Perl code. Remote attackers can exploit this issue to run arbitrary code in the context of the affected application. Digest versions prior to 1.17 are affected. For more details please visit: http://www.securityfocus.com/bid/49911 https://secunia.com/advisories/46279 III. IMPACT The successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, run the following command: # lslpp -l perl.rte The following fileset levels are vulnerable: AIX Fileset AIX Level Lower Level Upper Level ---------------------------------------------------------------- | perl.rte 5.3.12 5.8.8.0 5.8.8.122 | perl.rte 6.1.5 5.8.8.0 5.8.8.122 | perl.rte 6.1.6 5.8.8.0 5.8.8.122 | perl.rte 6.1.7 5.8.8.0 5.8.8.122 | perl.rte 6.1.8 5.8.8.0 5.8.8.122 | perl.rte 7.1.0 5.10.1.0 5.10.1.50 | perl.rte 7.1.1 5.10.1.0 5.10.1.50 | perl.rte 7.1.2 5.10.1.0 5.10.1.50 NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability --------------------------------------------------- 6.1.8 IV10197 06/28/13 sp3 7.1.2 IV10197 08/09/13 sp3 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV10197 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. B. INTERIM FIXES Interim fixes are available. The interim fix can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/perl_ifix2.tar The link above is to a tar file containing this signed advisory, interim fix packages, and PGP signatures for each package. The interim fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level VIOS Level Fix ----------------------------------------------------------------- 5.3.12 IV10197610.111107.epkg.Z | 6.1.5 2.1.3 IV10197610.111107.epkg.Z | 6.1.6 2.2.0 IV10197610.111107.epkg.Z | 6.1.7 2.2.1 IV10197610.111107.epkg.Z | 6.1.8 IV10197610.111107.epkg.Z 7.1.0 IV10197710.111107.epkg.Z 7.1.1 IV10197710.111107.epkg.Z | 7.1.2 IV10197710.111107.epkg.Z IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. These interim fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functionality of the interim fix. Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 55198 9 IV10197610.111107.epkg.Z 15391 9 IV10197710.111107.epkg.Z cksum filename ------------------------------------------ 3148530716 8536 IV10197610.111107.epkg.Z 4016406856 8879 IV10197710.111107.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- 152ccb72817ecf0ee0cc7116e512fb40 IV10197610.111107.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ c0e33bdc5b9476cc9fdb1dc05812f6fd63655fd7 IV10197610.111107.epkg.Z df3a664147c404ae5ea07aab86655626e5a59383 IV10197710.111107.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the compressed tarball and on this advisory can also be used to verify the integrity of the various files they correspond to. If the sums or signatures cannot be confirmed, double check the command results and the download site address. If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. INTERIM FIX INSTALLATION These packages use the new Interim Fix Management Solution to install and manage interim fixes. More information can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an epkg interim fix installation execute the following command: # emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an epkg interim fix package, execute the following command: # emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. The "X" flag will expand any filesystems if required. VI. WORKAROUNDS None. VII. OBTAINING FIXES AIX Version 5 APARs can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix Security related Interim Fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFRFAzT4fmd+Ci/qhIRAnB9AJ9V5j29lbQA8BQaRon5RUhgwPsipwCeKa2S uTHGOtjFeEQU32iMiRR02hA= =O4rD -----END PGP SIGNATURE-----