ID

VAR-201812-0271


CVE

CVE-2018-18311


TITLE

Perl Buffer error vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-012765

DESCRIPTION

Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations. Perl Contains a buffer error vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: rh-perl524-perl security update Advisory ID: RHSA-2019:0010-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2019:0010 Issue date: 2019-01-02 CVE Names: CVE-2018-18311 CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 ==================================================================== 1. Summary: An update for rh-perl524-perl is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6) - noarch, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Perl is a high-level programming language that is commonly used for system administration utilities and web programming. Red Hat would like to thank the Perl project for reporting these issues. Upstream acknowledges Jayakrishna Menon as the original reporter of CVE-2018-18311; Eiichi Tsukata as the original reporter of CVE-2018-18312 and CVE-2018-18313; and Jakub Wilk as the original reporter of CVE-2018-18314. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6): Source: rh-perl524-perl-5.24.0-381.el6.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6): Source: rh-perl524-perl-5.24.0-381.el6.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el6.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el6.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-perl524-perl-5.24.0-381.el7.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4): Source: rh-perl524-perl-5.24.0-381.el7.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5): Source: rh-perl524-perl-5.24.0-381.el7.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6): Source: rh-perl524-perl-5.24.0-381.el7.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-perl524-perl-5.24.0-381.el7.src.rpm noarch: rh-perl524-perl-Locale-Maketext-Simple-0.21-381.el7.noarch.rpm x86_64: rh-perl524-perl-tests-5.24.0-381.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-18311 https://access.redhat.com/security/cve/CVE-2018-18312 https://access.redhat.com/security/cve/CVE-2018-18313 https://access.redhat.com/security/cve/CVE-2018-18314 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXCzjWdzjgjWX9erEAQgGbxAAjUats4SSpuFti8OldbpStTe7erlyVhih Gh5YONFxhYXSTeCv064Qbm+3m6gxbHBuQtsydMtXYGuMhA6ire2vQkJGT4/IAE1y 55aL3GLosOiqdu/yrydYnnSfxVBitY5dxN4sUBSeh54HOHzPx247zVMzMD2AwPQy DpdQ639qseh+Aq79z0ZOqofH9PHX3XDm2kypR7mhohxkORJ0rkoHAKgIfn5y7Y79 w8vTRn+S6C4goJUCMOUYU4eSuFx2PV6abOTvodGfPO2PPwivkVDIqr2UxMEZV4nA wh13K9FteozKWQApxVIkR3ipg55SHC9xHd1vpsnZRnGrnG4bO0EOTcsQ/9N2FztR soBINhCU0ycU9/Fal1Ul4COp6F2vpDsMveeMXcnmNX+f8H8UOtd8VoR5sJ6fhApC Lb+20d2AWuClUtqBghcRMTlXxYOu7KWYGVbamfDeIOH6p/p4XA8iDUeUFB5B4v4s eAnD0bqK1RRFpuOPO2Fi5F/LZ18olTA7TuTWDmBwj27nYxaLunZtctaLg6p/QgYS T5mPOFl6CGnafhZgy0iihwCCEjIcz34vPUe9kmK7ywBoJ3GIfNnGJmOs+FC7ntzQ L9YCjVEk5e8hTDGq6HohPF73gxAwdQVNYxzLoh7XmAvcBefL/eAK+YhDhCtc0ZUb ul+etyPMblM=Fj2Q -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The following packages have been upgraded to a later upstream version: rh-perl526-perl (5.26.3), rh-perl526-perl-Module-CoreList (5.20181130). The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-18311 Jayakrishna Menon and Christophe Hauser discovered an integer overflow vulnerability in Perl_my_setenv leading to a heap-based buffer overflow with attacker-controlled input. For the stable distribution (stretch), these problems have been fixed in version 5.24.1-3+deb9u5. We recommend that you upgrade your perl packages. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201909-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Perl: Multiple vulnerabilities Date: September 06, 2019 Bugs: #653432, #670190 ID: 201909-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in Perl, the worst of which could result in the arbitrary execution of code. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/perl < 5.28.2 >= 5.28.2 Description =========== Multiple vulnerabilities have been discovered in Perl. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Perl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/perl-5.28.2" References ========== [ 1 ] CVE-2018-18311 https://nvd.nist.gov/vuln/detail/CVE-2018-18311 [ 2 ] CVE-2018-18312 https://nvd.nist.gov/vuln/detail/CVE-2018-18312 [ 3 ] CVE-2018-18313 https://nvd.nist.gov/vuln/detail/CVE-2018-18313 [ 4 ] CVE-2018-18314 https://nvd.nist.gov/vuln/detail/CVE-2018-18314 [ 5 ] CVE-2018-6797 https://nvd.nist.gov/vuln/detail/CVE-2018-6797 [ 6 ] CVE-2018-6798 https://nvd.nist.gov/vuln/detail/CVE-2018-6798 [ 7 ] CVE-2018-6913 https://nvd.nist.gov/vuln/detail/CVE-2018-6913 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201909-01 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2019 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . 7.5) - ppc64, ppc64le, s390x, x86_64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following: AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420) FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6) Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8508: Dr. Silvio Cesare of InfoSect Kernel Available for: macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero Kernel Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team Kernel Available for: macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google Kernel Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG Messages Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view sensitive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2019-8546: ChiYuan Chang Notes Available for: macOS Mojave 10.14.3 Impact: A local user may be able to view a user's locked notes Description: An access issue was addressed with improved memory management. CVE-2019-8537: Greg Walker (gregwalker.us) PackageKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A logic issue was addressed with improved validation. CVE-2019-8561: Jaron Bradley of Crowdstrike Perl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: Multiple issues in Perl Description: Multiple issues in Perl were addressed in this update. CVE-2018-12015: Jakub Wilk CVE-2018-18311: Jayakrishna Menon CVE-2018-18313: Eiichi Tsukata Power Management Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com) QuartzCore Available for: macOS Mojave 10.14.3 Impact: Processing malicious data may lead to unexpected application termination Description: Multiple memory corruption issues were addressed with improved input validation. CVE-2019-8507: Kai Lu or Fortinet's FortiGuard Labs Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to gain elevated privileges Description: A use after free issue was addressed with improved memory management. CVE-2019-8526: Linus Henze (pinauten.de) Security Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8520: Antonio Groza, The UK's National Cyber Security Centre (NCSC) Siri Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest Time Machine Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to execute arbitrary shell commands Description: This issue was addressed with improved checks. CVE-2019-8513: CodeColorist of Ant-Financial LightYear Labs TrueTypeScaler Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8517: riusksk of VulWar Corp working with Trend Micro Zero Day Initiative XPC Available for: macOS Sierra 10.12.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8530: CodeColorist of Ant-Financial LightYear Labs Additional recognition Accounts We would like to acknowledge Milan Stute of Secure Mobile Networking Lab at Technische Universität Darmstadt for their assistance. Books We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Mail We would like to acknowledge Craig Young of Tripwire VERT and Hanno Böck for their assistance. Time Machine We would like to acknowledge CodeColorist of Ant-Financial LightYear Labs for their assistance. Installation note: macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZWQgpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3E4zA/9 FvnChJHCmmH34DmCi+LGXO/fatCVVvvSHDWm1+bPjl8CeYcF+zZYACkQKxFoNpDT vyiBJnNveCQEHeBvqSyRF8dfsTf4fr0MrFS1uIQVRPf2St6fZ27vDnC6fg269r0D Eqnz0raFUa3bLUirteRMJwAqdGaVKwsNzM13qP4QEdrB14XkwZA0yQBunltFYU33 iAesKeejDLdhwkjfhmmjTlVPZmnABx2ZCfj2v7TiPxTOjfYbXcN8sY2LDHEOWNaM ucrGBMfGH/ehStXAsIArwcLGOl6SI+6JywWVcm9lG6jUHSeSk9BPF6R4JzGrEHZB sSo87+U8b63KA2GkYecwh6xvE5EchQku/fj0d2zbOlg+T2bMbyc6Al2nefsYnX5p 7BuhdZxqq3m3Gme2qRY0eye6wch1BTHhK+zctrVH2XeMaUpeanopVRI8AD+hZJ1J +9oQX8kSa7hzJYPmohA4Wi/Rp9FpKpgXYNBn1A9DgSAvf+eyfWJX0aZXmQZfn/k7 OLz3EmSKvXv0i67L9g2XYeX7GFBMqf4xWeztKLUYFafu73t1mTxZJICcYeTxebS0 zBJdkOHwP9GxsSonblDgPScQPdW85l0fangn7qqiexCVp4JsCGBc0Wuy1lc+MyzS 1YmrDRhRl4aYOf4UGgtKI6ncvM77Y30ECPV3A6vl+wk= =QV0f -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-3834-2 December 03, 2018 perl vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 ESM Summary: Several security issues were fixed in Perl. Software Description: - perl: Practical Extraction and Report Language Details: USN-3834-1 fixed a vulnerability in perl. This update provides the corresponding update for Ubuntu 12.04 ESM. Original advisory details: Jayakrishna Menon discovered that Perl incorrectly handled Perl_my_setenv. An attacker could use this issue to cause Perl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-18311) Eiichi Tsukata discovered that Perl incorrectly handled certain regular expressions. An attacker could use this issue to cause Perl to crash, resulting in a denial of service. (CVE-2018-18313) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 ESM: perl 5.14.2-6ubuntu2.9 In general, a standard system update will make all the necessary changes

Trust: 2.52

sources: NVD: CVE-2018-18311 // JVNDB: JVNDB-2018-012765 // VULHUB: VHN-128858 // VULMON: CVE-2018-18311 // PACKETSTORM: 151001 // PACKETSTORM: 153965 // PACKETSTORM: 151000 // PACKETSTORM: 150523 // PACKETSTORM: 154385 // PACKETSTORM: 153652 // PACKETSTORM: 152222 // PACKETSTORM: 150565

AFFECTED PRODUCTS

vendor:canonicalmodel:ubuntu linuxscope:eqversion:12.04

Trust: 1.0

vendor:redhatmodel:enterprise linux eusscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:6.0

Trust: 1.0

vendor:perlmodel:perlscope:gteversion:5.28.0

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:7.4

Trust: 1.0

vendor:redhatmodel:enterprise linux server tusscope:eqversion:7.6

Trust: 1.0

vendor:perlmodel:perlscope:ltversion:5.28.1

Trust: 1.0

vendor:redhatmodel:enterprise linux workstationscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:7.6

Trust: 1.0

vendor:redhatmodel:enterprise linux serverscope:eqversion:7.0

Trust: 1.0

vendor:applemodel:mac os xscope:ltversion:10.14.4

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.04

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:7.0

Trust: 1.0

vendor:redhatmodel:enterprise linuxscope:eqversion:7.5

Trust: 1.0

vendor:netappmodel:e-series santricity os controllerscope:eqversion: -

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:ltversion:8.1.1

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:16.04

Trust: 1.0

vendor:netappmodel:snap creator frameworkscope:eqversion: -

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:ltversion:7.8.2.8

Trust: 1.0

vendor:redhatmodel:enterprise linux server ausscope:eqversion:7.6

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:14.04

Trust: 1.0

vendor:perlmodel:perlscope:ltversion:5.26.3

Trust: 1.0

vendor:netappmodel:snapcenterscope:eqversion: -

Trust: 1.0

vendor:redhatmodel:openshift container platformscope:eqversion:3.11

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:ltversion:7.7.2.21

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:gteversion:7.8.2

Trust: 1.0

vendor:netappmodel:snapdriverscope:eqversion: -

Trust: 1.0

vendor:canonicalmodel:ubuntu linuxscope:eqversion:18.10

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:redhatmodel:enterprise linux desktopscope:eqversion:7.0

Trust: 1.0

vendor:fedoraprojectmodel:fedorascope:eqversion:29

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:gteversion:8.0.0

Trust: 1.0

vendor:mcafeemodel:web gatewayscope:gteversion:7.7.2

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:the perlmodel:perlscope:ltversion:5.28.x

Trust: 0.8

vendor:canonicalmodel:ubuntuscope: - version: -

Trust: 0.8

vendor:debianmodel:gnu/linuxscope: - version: -

Trust: 0.8

vendor:the perlmodel:perlscope:eqversion:5.28.1

Trust: 0.8

sources: JVNDB: JVNDB-2018-012765 // NVD: CVE-2018-18311

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-18311
value: CRITICAL

Trust: 1.0

NVD: CVE-2018-18311
value: CRITICAL

Trust: 0.8

VULHUB: VHN-128858
value: HIGH

Trust: 0.1

VULMON: CVE-2018-18311
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2018-18311
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-128858
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-18311
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: VULHUB: VHN-128858 // VULMON: CVE-2018-18311 // JVNDB: JVNDB-2018-012765 // NVD: CVE-2018-18311

PROBLEMTYPE DATA

problemtype:CWE-190

Trust: 1.1

problemtype:CWE-787

Trust: 1.1

problemtype:CWE-119

Trust: 0.9

sources: VULHUB: VHN-128858 // JVNDB: JVNDB-2018-012765 // NVD: CVE-2018-18311

TYPE

overflow

Trust: 0.4

sources: PACKETSTORM: 151001 // PACKETSTORM: 153965 // PACKETSTORM: 151000 // PACKETSTORM: 153652

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-012765

PATCH

title:DSA-4347url:https://www.debian.org/security/2018/dsa-4347

Trust: 0.8

title:Perl_my_setenv(); handle integer wrapurl:https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be

Trust: 0.8

title:[SECURITY] Fedora 29 Update: perl-5.28.1-425.fc29url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/

Trust: 0.8

title:USN-3834-1url:https://usn.ubuntu.com/3834-1/

Trust: 0.8

title:USN-3834-2url:https://usn.ubuntu.com/3834-2/

Trust: 0.8

title:Red Hat: Important: perl security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20192400 - Security Advisory

Trust: 0.1

title:Red Hat: Important: perl security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190109 - Security Advisory

Trust: 0.1

title:Red Hat: Important: perl security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191942 - Security Advisory

Trust: 0.1

title:Red Hat: Important: perl security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20191790 - Security Advisory

Trust: 0.1

title:Red Hat: Important: rh-perl524-perl security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190010 - Security Advisory

Trust: 0.1

title:Red Hat: Important: rh-perl526-perl security and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20190001 - Security Advisory

Trust: 0.1

title:Ubuntu Security Notice: perl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3834-2

Trust: 0.1

title:Amazon Linux AMI: ALAS-2019-1180url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1180

Trust: 0.1

title:Amazon Linux 2: ALAS2-2019-1166url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2019-1166

Trust: 0.1

title:Red Hat: CVE-2018-18311url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-18311

Trust: 0.1

title:Ubuntu Security Notice: perl vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-3834-1

Trust: 0.1

title:Debian Security Advisories: DSA-4347-1 perl -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=9d703224274c60e23b97462e56895757

Trust: 0.1

title:IBM: IBM Security Bulletin: A vulnerability in Perl affects PowerKVMurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=3138e313caf45ee4ff0ccc294e40bbe3

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM MQ Cloud Paks are vulnerable to multiple vulnerabilities in Perl (CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18311)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=48c2d25ee84d3c5c67f054df5e25d685

Trust: 0.1

title:Oracle Linux Bulletins: Oracle Linux Bulletin -url:https://vulmon.com/vendoradvisory?qidtp=oracle_linux_bulletins&qid=03eedb4fe879a888adeecb9d62c3c412

Trust: 0.1

title:IBM: IBM Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM Security Access Manager Applianceurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=1519a5f830589c3bab8a20f4163374ae

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - January 2019url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=aea3fcafd82c179d3a5dfa015e920864

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM Security Privileged Identity Manager is affected by multiple security vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=8580d3cd770371e2ef0f68ca624b80b0

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM API Connect has addressed multiple vulnerabilities in Developer Portal’s dependencies – Cumulative list from June 28, 2018 to December 13, 2018url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=43da2cd72c1e378d8d94ecec029fcc61

Trust: 0.1

title: - url:https://github.com/D5n9sMatrix/perltoc

Trust: 0.1

title: - url:https://github.com/aravindb26/new.txt

Trust: 0.1

sources: VULMON: CVE-2018-18311 // JVNDB: JVNDB-2018-012765

EXTERNAL IDS

db:NVDid:CVE-2018-18311

Trust: 2.8

db:SECTRACKid:1042181

Trust: 1.2

db:BIDid:106145

Trust: 1.2

db:MCAFEEid:SB10278

Trust: 1.2

db:JVNDBid:JVNDB-2018-012765

Trust: 0.8

db:PACKETSTORMid:151001

Trust: 0.2

db:PACKETSTORMid:153965

Trust: 0.2

db:PACKETSTORMid:150565

Trust: 0.2

db:PACKETSTORMid:153652

Trust: 0.2

db:PACKETSTORMid:151000

Trust: 0.2

db:PACKETSTORMid:154385

Trust: 0.2

db:PACKETSTORMid:150523

Trust: 0.2

db:PACKETSTORMid:150564

Trust: 0.1

db:PACKETSTORMid:151248

Trust: 0.1

db:PACKETSTORMid:153814

Trust: 0.1

db:VULHUBid:VHN-128858

Trust: 0.1

db:VULMONid:CVE-2018-18311

Trust: 0.1

db:PACKETSTORMid:152222

Trust: 0.1

sources: VULHUB: VHN-128858 // VULMON: CVE-2018-18311 // JVNDB: JVNDB-2018-012765 // PACKETSTORM: 151001 // PACKETSTORM: 153965 // PACKETSTORM: 151000 // PACKETSTORM: 150523 // PACKETSTORM: 154385 // PACKETSTORM: 153652 // PACKETSTORM: 152222 // PACKETSTORM: 150565 // NVD: CVE-2018-18311

REFERENCES

url:https://bugzilla.redhat.com/show_bug.cgi?id=1646730

Trust: 2.0

url:https://nvd.nist.gov/vuln/detail/cve-2018-18311

Trust: 1.6

url:https://access.redhat.com/errata/rhsa-2019:2400

Trust: 1.4

url:https://security.gentoo.org/glsa/201909-01

Trust: 1.3

url:https://access.redhat.com/errata/rhsa-2019:0001

Trust: 1.3

url:https://access.redhat.com/errata/rhsa-2019:0010

Trust: 1.3

url:https://access.redhat.com/errata/rhsa-2019:1790

Trust: 1.3

url:https://usn.ubuntu.com/3834-2/

Trust: 1.3

url:http://www.securityfocus.com/bid/106145

Trust: 1.2

url:https://seclists.org/bugtraq/2019/mar/42

Trust: 1.2

url:https://github.com/perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be

Trust: 1.2

url:https://metacpan.org/changes/release/shay/perl-5.26.3

Trust: 1.2

url:https://metacpan.org/changes/release/shay/perl-5.28.1

Trust: 1.2

url:https://rt.perl.org/ticket/display.html?id=133204

Trust: 1.2

url:https://security.netapp.com/advisory/ntap-20190221-0003/

Trust: 1.2

url:https://support.apple.com/kb/ht209600

Trust: 1.2

url:https://www.debian.org/security/2018/dsa-4347

Trust: 1.2

url:http://seclists.org/fulldisclosure/2019/mar/49

Trust: 1.2

url:https://www.oracle.com/security-alerts/cpuapr2020.html

Trust: 1.2

url:https://www.oracle.com/security-alerts/cpujul2020.html

Trust: 1.2

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.2

url:https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html

Trust: 1.2

url:https://access.redhat.com/errata/rhba-2019:0327

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:0109

Trust: 1.2

url:https://access.redhat.com/errata/rhsa-2019:1942

Trust: 1.2

url:http://www.securitytracker.com/id/1042181

Trust: 1.2

url:https://usn.ubuntu.com/3834-1/

Trust: 1.2

url:https://kc.mcafee.com/corporate/index?page=content&id=sb10278

Trust: 1.1

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/rwqgeb543qn7ssbrkyjm6psoc3rlygsm/

Trust: 1.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-18311

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-18313

Trust: 0.6

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2018-18311

Trust: 0.4

url:https://access.redhat.com/security/team/contact/

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-18312

Trust: 0.4

url:https://bugzilla.redhat.com/):

Trust: 0.4

url:https://access.redhat.com/security/team/key/

Trust: 0.4

url:https://access.redhat.com/articles/11258

Trust: 0.4

url:https://nvd.nist.gov/vuln/detail/cve-2018-18314

Trust: 0.4

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.4

url:https://access.redhat.com/security/cve/cve-2018-18313

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-18312

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2018-18314

Trust: 0.2

url:https://kc.mcafee.com/corporate/index?page=content&amp;id=sb10278

Trust: 0.1

url:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/rwqgeb543qn7ssbrkyjm6psoc3rlygsm/

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/787.html

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/190.html

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=59232

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://security-tracker.debian.org/tracker/perl

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-6913

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-6797

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-6798

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8514

Trust: 0.1

url:https://support.apple.com/kb/ht201222

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8511

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8519

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8502

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8516

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-6239

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8522

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-6237

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8540

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8526

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8527

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-12015

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8533

Trust: 0.1

url:https://support.apple.com/downloads/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8520

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8517

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8521

Trust: 0.1

url:https://www.apple.com/support/security/pgp/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-6207

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8504

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-7293

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8510

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8508

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8530

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8513

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8529

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8537

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-8507

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3834-2

Trust: 0.1

url:https://usn.ubuntu.com/usn/usn-3834-1

Trust: 0.1

sources: VULHUB: VHN-128858 // VULMON: CVE-2018-18311 // JVNDB: JVNDB-2018-012765 // PACKETSTORM: 151001 // PACKETSTORM: 153965 // PACKETSTORM: 151000 // PACKETSTORM: 150523 // PACKETSTORM: 154385 // PACKETSTORM: 153652 // PACKETSTORM: 152222 // PACKETSTORM: 150565 // NVD: CVE-2018-18311

CREDITS

Red Hat

Trust: 0.4

sources: PACKETSTORM: 151001 // PACKETSTORM: 153965 // PACKETSTORM: 151000 // PACKETSTORM: 153652

SOURCES

db:VULHUBid:VHN-128858
db:VULMONid:CVE-2018-18311
db:JVNDBid:JVNDB-2018-012765
db:PACKETSTORMid:151001
db:PACKETSTORMid:153965
db:PACKETSTORMid:151000
db:PACKETSTORMid:150523
db:PACKETSTORMid:154385
db:PACKETSTORMid:153652
db:PACKETSTORMid:152222
db:PACKETSTORMid:150565
db:NVDid:CVE-2018-18311

LAST UPDATE DATE

2024-12-25T21:33:43.633000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-128858date:2020-08-24T00:00:00
db:VULMONid:CVE-2018-18311date:2023-11-07T00:00:00
db:JVNDBid:JVNDB-2018-012765date:2019-02-07T00:00:00
db:NVDid:CVE-2018-18311date:2024-11-21T03:55:40.773

SOURCES RELEASE DATE

db:VULHUBid:VHN-128858date:2018-12-07T00:00:00
db:VULMONid:CVE-2018-18311date:2018-12-07T00:00:00
db:JVNDBid:JVNDB-2018-012765date:2019-02-07T00:00:00
db:PACKETSTORMid:151001date:2019-01-03T02:57:52
db:PACKETSTORMid:153965date:2019-08-07T20:08:30
db:PACKETSTORMid:151000date:2019-01-03T02:57:21
db:PACKETSTORMid:150523date:2018-11-30T15:01:16
db:PACKETSTORMid:154385date:2019-09-06T22:21:33
db:PACKETSTORMid:153652date:2019-07-16T20:10:26
db:PACKETSTORMid:152222date:2019-03-26T14:40:53
db:PACKETSTORMid:150565date:2018-12-03T21:10:24
db:NVDid:CVE-2018-18311date:2018-12-07T21:29:00.407