This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.
The remote Amazon Linux AMI host is missing a security update.
The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in
WWW::Mechanize, LWP::UserAgent, and other products, when running in
environments that do not set the If-SSL-Cert-Subject header, does not
enable full validation of SSL certificates by default, which allows
remote attackers to spoof servers via man-in-the-middle (MITM) attacks
involving hostnames that are not properly validated. NOTE: it could be
argued that this is a design limitation of the Net::HTTPS API, and
separate implementations should be independently assigned CVE
identifiers for not working around this limitation. However, because
this API was modified within LWP, a single CVE identifier has been
See also :
Run 'yum update perl-libwww-perl' to update your system.
Risk factor :
Medium / CVSS Base Score : 4.3
Family: Amazon Linux Local Security Checks
Nessus Plugin ID: 69576 ()
CVE ID: CVE-2011-0633