We are following up with additional information on Perl version support after the recent patches released by the Perl Steering Committee for CVE-2023-47038 andCVE-2023-47039.
What could go wrong if you don't address these two CVEs?
CVE-2023-47038 can corrupt or crash your program. Combined with another unknown or potential vulnerability in Perl or a library running with Perl where users can inject data into your running process, it may be possible for a dedicated attacker to execute malicious code remotely.
CVE-2023-47039 can allow a hacker to execute a file remotely via cmd.exe. When Perl on Windows runs shell commands–or uses the shell–it executes a program called cmd.exe. Perl looks for this file in the current process's system path. It also looks in the running program's current working directory. An attacker who has permission to create a file in that directory can place a file named cmd.exe there.
But, we're here to help. Whether you intend to continue running EOL versions of Perl, or need a safety net during your upgrade process, we can help secure your Perl v5.22+ to mitigate security risks.
You are receiving this email because you signed up for the latest insights from ActiveState. This is a monthly email that shares the more popular content we've shared recently. You can access the complete library here.
If you saw the news that the Perl Steering Committee just released, they recently identified and patched two new major vulnerabilities:
* CVE-2023-47038 - Write past buffer end via illegal user-defined Unicode property
* CVE-2023-47039 - Perl for Windows binary hijacking vulnerability
You're getting this email because you have expressed interest in or are using a version of Perl supported by ActiveState. The good news is we've already backported the newly released patches to Perl 5.22 and beyond!
Here's what to do next, if you are:
Using an ActiveState Community Edition Perl Installer and you are concerned about these CVEs, contact us
On an ActiveState Platform Free Tier Account and want to ensure you or your team are protected against these CVEs, contact us
On the ActiveState Platform Team Tier or Enterprise Tier, log into the platform and download the patched Perl versions for 5.32-5.38 for all supported OS (Windows, Mac, Linux)
On the ActiveState Platform Team Tier or Enterprise Tier, but do not have access to end-of-life version support for Perl, contact us
If you are unsure of your access level or have any questions or concerns, please feel free to reply and we will connect you with a technical member of our team.
You are receiving this email because you signed up for the latest insights from ActiveState. This is a monthly email that shares the more popular content we've shared recently. You can access the complete library here.
