Amazon Linux AMI : perl-libwww-perl (ALAS-2011-17)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Amazon Linux AMI host is missing a security update.

Description :

The Net::HTTPS module in libwww-perl (LWP) before 6.00, as used in
WWW::Mechanize, LWP::UserAgent, and other products, when running in
environments that do not set the If-SSL-Cert-Subject header, does not
enable full validation of SSL certificates by default, which allows
remote attackers to spoof servers via man-in-the-middle (MITM) attacks
involving hostnames that are not properly validated. NOTE: it could be
argued that this is a design limitation of the Net::HTTPS API, and
separate implementations should be independently assigned CVE
identifiers for not working around this limitation. However, because
this API was modified within LWP, a single CVE identifier has been
assigned.

See also :

http://www.nessus.org/u?be5a6916

Solution :

Run 'yum update perl-libwww-perl' to update your system.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Family: Amazon Linux Local Security Checks

Nessus Plugin ID: 69576 ()

Bugtraq ID:

CVE ID: CVE-2011-0633