CPANSec retrospective 2024
That was a big year for CPANSec.
In case some of the activities this year flew under your radar, please find some of the achievements listed in this retrospective!
Common Vulnerabilities and Exposures (CVEs)
In 2024, CPANSec worked to illustrate the importance of the Common Vulnerabilities and Exposures (CVE) process.
Until then, our experience is that very few CVEs were published for Perl modules and tooling.
Beyond that, people and authors were a bit reluctant to deal with those CVEs.
CVEs are not a sign of bad quality or maintenance of a code, but a professional way of tagging and tracking a vulnerability, also indicating the importance of the concerned code.
Vulnerable Spreadsheet Parsing modules
The start of the year was marked by vulnerabilities reported for Spreadsheet::ParseExcel:
- CVE-2023-7101: Spreadsheet::ParseExcel arbitrary code execution vulnerability
- CVE-2024-22368: Spreadsheet::ParseXLSX denial of service vulnerability
- CVE-2024-23525: Spreadsheet::ParseXLSX XML external entity attack vulnerability
Insecure modes of CPAN installers
CPANSec continued with CPAN installer cpanminus (a major installer of the Perl ecosystem):
This latest is a bit related to a fix from a CPANSec member earlier in 2023 to the CPAN installer cpan (part of Perl core distribution):
Other
Similarly, a CVE was emitted for the POSIX::2008 module:
Improving CVE tooling
Along with CVEs, tooling to monitor, fetch or test for them is very useful. They can be installed in workflows or tooling as a gate keeper so that companies do not ship vulnerable pieces of code.
CPANSec produced and improved a few tools to fetch or test for CVEs:
Note: Not all CVE tooling are managed by CPANSec, I’m thinking in particular CPAN::Audit and its sidecar CPAN::Audit::DB or NIST::NVD.
But CPANSec follows closely and contributes to them when possible.
CPANSec as a CVE Numbering Authority (CNA)
In 2023 and 2024, if CPANSec helped with or contributed to CVEs for CPAN, the assignment of CVEs remained under control of another CNA, MITRE.
CPANSec members worked throughout the year to give the group the ability to assign CVEs. After all, who knows better than CPANSec the impact of CVEs on Perl modules? (If you know someone, send them our way! :)
By end of the year, the groundwork to become a CNA was completed.
This designation was officially granted in February 2025: CPANSec is now a CVE Numbering Authority (CNA)!
The news of CPANSec becoming CVE Numbering Authority (CNA) was saluted by community luminaries like Greg Kroah-Hartman (Linux kernel) and Daniel Stenberg (cURL).
The CNA administrators are Timothy Legge, Stig Palmquist and Breno G. de Oliveira.
Introduced a SECURITY Policy template
In parallel, CPANSec collectively pushed for authors to publish a Security Policy.
Doing so is considered Open Source Good Practice, especially as security is becoming more and more critical.
This effort resulted in creating a template, providing guidelines and, last but not least, communicating this initiative in various channels.
In order to help authors integrating a Security Policy, new tools Software::Security::Policy and Dist::Zilla::Plugin::SecurityPolicy were created and published.
Study on Random Number generation for Security
Generating random numbers can help in a wide variety of tasks. All of them don’t have the same level of criticality. In particular, random generated data used in a security context requires extra care.
CPANSec studied and reviewed CPAN modules for this use, and shared this in Random Data For Security Use.
Working on “TLS in core”
A vanilla install of Perl (distribution) does not provide HTTPS capabilities, and this is annoying. That’s an important (and difficult) topic that is addressed, across core developers and CPANSec.
Things started to go into motion in 2024 to make it happen.
Discussions, with the Perl Steering Council and core contributors. A plan was created, with some preliminary work happening.
One notable contribution is the creation of the new module Crypt::Bear by LEONT to wrap the TLS library BearSSL.
Software Bill Of Materials (SBOM)
CPANSec attended many meetings in other security-related communities, and cross-connected with several other organization working on the topic.
One of the outcomes of this effort is available as in the form of an ongoing study on Roles and metadata in open source supply-chains, but it goes well beyond that.
Adopting security related modules
CPANSec volunteers adopted security related modules:
- Crypt::DSA
- Crypt::DES_EDE3
- Crypt::OpenPGP
- Crypt::OpenSSL::AES
- Crypt::OpenSSL::Blowfish
- Crypt::OpenSSL::PKCS10
- Crypt::Primes
- Crypt::Random
- Module::Signature
- Net::OAuth
Adopting modules is not always the only option, and CPANSec also reviewed modules for insecure algorithms in order to offer recommendations or propose deprecation.
Reviewing CPAN for supply chain attacks
Through the year, CPANSec volunteers preformed an analysis of the CPAN ecosystem to know exactly how much vulnerable it would be to some common supply chain attacks:
More attacks vectors were also looked at, including starjacking and the topic of stealing namespaces.
Pentesting PAUSE
CPANSec volunteers reviewed and tested PAUSE with various attempts to break it with nasty modules, steal namespaces or execute remote code.
This was done on a local instance made possible thanks to the hard work of automation from “Table PAUSE” at Perl Toolchain Summit 2024 that was later improved, tweaked (fast indexing, minor fixes…) and containerized by CPANSec.
Outside of pentesting, these deliveries are useful for plenty of tests (on indexing, on PAUSE functionning itself) or as a local development environment of PAUSE.
Outreach
If CPANSpec is taking care of security aspects of CPAN and Perl, it’s also promoting Perl in general, actively recruiting for open source security.
This is in this scope that the group had a presence in several events. From Perl Toolchain Summit 2024 to London Perl and Raku Workshop 2024, but also FOSDEM 2024 and the OpenSSF summit.
Other
CPANSec also initiated a discussion (with a proposed change) to enable Secure by default sessions in Mojolicious.
CPANSec had a recurring discussion on the topic of module signatures. Reviewing the limitations “by design” of the current options, and thinking about a correct way to implement that feature. Similarly, discussions about CPAN installer enhancements (“Do not install module version with a CVE”, “Patch module on the fly at install”. etc…) were had, but only at an early stage.
At the very end of 2024, CPANSec reviewed the state of the art vulnerability of Perl bcrypt related modules (Crypt::bcrypt, Digest::Bcrypt) on misuse following the Okta reported incident.
Who we are?
I attributed many of previous achievements to “CPANSec”, but who was part of the “CPANSec group” in 2024?
In last name alphabetical order:
Olaf Alders
José Joaquín Atria
H.Merijn Brand
Thibault Duponchelle
Alexander Hartmaier
Alexander Karelas
Peter Krawczyk
Timothy Legge
Tina Müller
Ingy döt Net
Salve J. Nilsen
Breno G. de Oliveira
Stig Palmquist
Nicolas Rochelemagne
Robert Rothenberg
Giuseppe Di Terlizzi
Leon Timmermans
Final words
This was a big year; The group really took shape and get full speed with progress in many places.
The group met regularly (18 meetings!), had fun and got outstanding results. This is the year when CPANSec got traction as a recognized supporting organization for securing the Perl/CPAN ecosystem.
With so many visible and impacting outcomes, 2024 confirmed well beyond expectations that CPANSec has a raison d’être.
It was also a very rewarding year for all people involved! Looking forward to a similarly successful 2025 :)