Security Bulletin: AIX is vulnerable to HTTP request smuggling due to Perl (CVE-2022-31081)

Summary

A vulnerability in libwww-perl could allow an attacker to poison web caches, bypass web application firewall protection, and conduct XSS attacks (CVE-2022-31081). AIX uses Perl in various operating system components.

Vulnerability Details

CVEID:CVE-2022-31081
**DESCRIPTION:**Libwww is vulnerable to HTTP request smuggling, caused by an unspecified flaw. By sending a specially-crafted HTTP(S) transfer-encoding request header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229880 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The following fileset levels are vulnerable:

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -L | grep -i perl.rte

Remediation/Fixes

FIXES

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available.

The AIX and VIOS fixes can be downloaded via https from, under ‘Perl - Perl Version 5 Runtime’:

<https://www.ibm.com/resources/mrs/assets?source=aixbp&gt;

For AIX 7.1 TL5, 7.2 TL5, and 7.3 TL0, and for VIOS 3.1.2, 3.1.3, and 3.1.4:

perl.rte.5.28.1.5

For AIX 7.3 TL1:

perl.rte.5.34.1.2

Verify you have retrieved the fixes intact:

The checksums below were generated using the “openssl dgst -sha256 [filename]” command as the following:

IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview the fix installation:

installp -apYd . perl

To install the fix package:

installp -aXYd . perl

CONTACT US

For information on how to securely verify AIX security bulletins and fixes:

<https://www.ibm.com/support/pages/node/6985269&gt;

To obtain the OpenSSL public key that can be used to verify the signed advisory, download the key from our web page:

ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt

<https://aix.software.ibm.com/aix/efixes/security/systems_p_os_aix_security_pubkey.txt&gt;

To verify the AIX/VIOS security bulletin:

Published advisory OpenSSL signature file location: <https://aix.software.ibm.com/aix/efixes/security/perl_advisory6.asc.sig&gt;

openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]

Please contact your local IBM AIX support center for any assistance:

<https://www.ibm.com/support&gt;

Workarounds and Mitigations

None