Amazon Linux AMI : perl (ALAS-2013-177)

high Nessus Plugin ID 69736
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote Amazon Linux AMI host is missing a security update.


A heap overflow flaw was found in Perl. If a Perl application allowed user input to control the count argument of the string repeat operator, an attacker could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2012-5195)

A denial of service flaw was found in the way Perl's rehashing code implementation, responsible for recalculation of hash keys and redistribution of hash content, handled certain input. If an attacker supplied specially crafted input to be used as hash keys by a Perl application, it could cause excessive memory consumption.

It was found that the Perl CGI module, used to handle Common Gateway Interface requests and responses, incorrectly sanitized the values for Set-Cookie and P3P headers. If a Perl application using the CGI module reused cookies values and accepted untrusted input from web browsers, a remote attacker could use this flaw to alter member items of the cookie or add new items. (CVE-2012-5526)

It was found that the Perl Locale::Maketext module, used to localize Perl applications, did not properly handle backslashes or fully-qualified method names. An attacker could possibly use this flaw to execute arbitrary Perl code with the privileges of a Perl application that uses untrusted Locale::Maketext templates.


Run 'yum update perl' to update your system.

See Also

Plugin Details

Severity: High

ID: 69736

File Name: ala_ALAS-2013-177.nasl

Version: 1.9

Type: local

Agent: unix

Published: 9/4/2013

Updated: 2/7/2019

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: High

Score: 7.4


Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:perl, p-cpe:/a:amazon:linux:perl-Archive-Extract, p-cpe:/a:amazon:linux:perl-Archive-Tar, p-cpe:/a:amazon:linux:perl-CGI, p-cpe:/a:amazon:linux:perl-CPAN, p-cpe:/a:amazon:linux:perl-CPANPLUS, p-cpe:/a:amazon:linux:perl-Compress-Raw-Bzip2, p-cpe:/a:amazon:linux:perl-Compress-Raw-Zlib, p-cpe:/a:amazon:linux:perl-Compress-Zlib, p-cpe:/a:amazon:linux:perl-Digest-SHA, p-cpe:/a:amazon:linux:perl-ExtUtils-CBuilder, p-cpe:/a:amazon:linux:perl-ExtUtils-Embed, p-cpe:/a:amazon:linux:perl-ExtUtils-MakeMaker, p-cpe:/a:amazon:linux:perl-ExtUtils-ParseXS, p-cpe:/a:amazon:linux:perl-File-Fetch, p-cpe:/a:amazon:linux:perl-IO-Compress-Base, p-cpe:/a:amazon:linux:perl-IO-Compress-Bzip2, p-cpe:/a:amazon:linux:perl-IO-Compress-Zlib, p-cpe:/a:amazon:linux:perl-IO-Zlib, p-cpe:/a:amazon:linux:perl-IPC-Cmd, p-cpe:/a:amazon:linux:perl-Locale-Maketext-Simple, p-cpe:/a:amazon:linux:perl-Log-Message, p-cpe:/a:amazon:linux:perl-Log-Message-Simple, p-cpe:/a:amazon:linux:perl-Module-Build, p-cpe:/a:amazon:linux:perl-Module-CoreList, p-cpe:/a:amazon:linux:perl-Module-Load, p-cpe:/a:amazon:linux:perl-Module-Load-Conditional, p-cpe:/a:amazon:linux:perl-Module-Loaded, p-cpe:/a:amazon:linux:perl-Module-Pluggable, p-cpe:/a:amazon:linux:perl-Object-Accessor, p-cpe:/a:amazon:linux:perl-Package-Constants, p-cpe:/a:amazon:linux:perl-Params-Check, p-cpe:/a:amazon:linux:perl-Parse-CPAN-Meta, p-cpe:/a:amazon:linux:perl-Pod-Escapes, p-cpe:/a:amazon:linux:perl-Pod-Simple, p-cpe:/a:amazon:linux:perl-Term-UI, p-cpe:/a:amazon:linux:perl-Test-Harness, p-cpe:/a:amazon:linux:perl-Test-Simple, p-cpe:/a:amazon:linux:perl-Time-HiRes, p-cpe:/a:amazon:linux:perl-Time-Piece, p-cpe:/a:amazon:linux:perl-core, p-cpe:/a:amazon:linux:perl-debuginfo, p-cpe:/a:amazon:linux:perl-devel, p-cpe:/a:amazon:linux:perl-libs, p-cpe:/a:amazon:linux:perl-parent, p-cpe:/a:amazon:linux:perl-suidperl, p-cpe:/a:amazon:linux:perl-version, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/15/2014

Vulnerability Publication Date: 11/21/2012

Exploitable With

Metasploit (TWiki MAKETEXT Remote Command Execution)

Elliot (TWiki 5.1.2 RCE)

Reference Information

CVE: CVE-2012-5195, CVE-2012-5526, CVE-2012-6329, CVE-2013-1667

ALAS: 2013-177

RHSA: 2013:0685