CVE-2023-31486 HTTP::Tiny verify_SSL defaults to disabled

Amazon Linux is aware of CVE-2023-31486 affecting the Perl::HTTP::Tiny module, shipped in Amazon Linux AMI (AL1), AL2, and AL2023 in the perl-HTTP-Tiny RPM package and in the core perl RPM. We have audited all use of this perl module within Amazon Linux to avoid unintended behavior based on this CVE. Customers are advised to audit their own use of this perl module to ensure intended behavior.

In AL1, AL2, and AL2023, we have added a warning when HTTP::Tiny objects are created without being explicit about whether verify_SSL is enabled or not. To maintain backwards compatibility with existing usecases, the existing default behavior of HTTP::Tiny and certificate validation will not be changed; if the verify_ssl flag is left blank, HTTP::Tiny will not verify server identity.

We strongly encourage you to validate your codebase and use of Perl HTTP::Tiny and review its documentation on certificate validation.

An example code snippet to search for is: HTTP::Tiny->new(); or other Perl constructs creating a new HTTP::Tiny connection object.

Customers are advised to be explicit about the intent of their code and if the verify_SSL functionality should be enabled or disabled. To opt-in to certificate validation, ensure that the verify_ssl => 1 argument is passed in to the constructor. We strongly recommend not to leave the verify_ssl flag blank as it will take the default value (0) and will not verify server identity, which may not be the intended behavior.

Example usage with certificate validation enabled: HTTP::Tiny->new( verify_SSL => 1 );

Please refer to the official perl documentation [1] for further details on SSL support in Http-Tiny, or the perldoc documentation shipped with the Amazon Linux package.

[1] Perl documentation: https://perldoc.perl.org/HTTP::Tiny#SSL-SUPPORT