📖 ~4 min read • Source: SUSE advisory RHSA-2025:9517 (see also SUSE bugzilla)
Related CVEs: CVE-2011-10007
Upstream summary: File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code Execution when `grep()` encounters a crafted filename. A file handle is opened with the 2 argument form of `open()` allowing an attacker controlled filename to provide the MODE parameter to `open()`, turning the filename into a command to be executed. Example: $ mkdir /tmp/poc; echo > "/tmp/poc/|id" $ perl -MFile::Find::Rule -E 'File::Find::Rule->grep("foo")->in("/tmp/poc")' uid=1000(user) gid=1000(user)
Table of contents
Symptom & Impact
On SLES 15 hosts running perl-File-Find-Rule, administrators report behaviour consistent with SUSE advisory RHSA-2025:9517: zypper refusing to install or restart affected services, AppArmor profile warnings in journalctl, and — for security-rated advisories — exposure to the vulnerability set above. In production estates the visible impact ranges from a single service restart to wider availability incidents whenever perl-File-Find-Rule sits on the serving path.
Environment & Reproduction
Reproduction targets SLES 15. Confirm release with cat /etc/os-release and SUSEConnect --status-text, and the currently installed package with rpm -q perl-File-Find-Rule. Capture system state with supportconfig -R /var/tmp -B perl-File-Find-Rule if you need to attach evidence to a SUSE support case. Trigger the workflow that exposes perl-File-Find-Rule — vulnerability — patch and remediation guide while collecting journalctl -b, zypper history, and rpm -qa output.
Root Cause Analysis
Root cause is documented in SUSE advisory RHSA-2025:9517. Upstream maintainers shipped fixes in the corresponding perl-File-Find-Rule update for SLES 15; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate journalctl --since timestamps with zypper history entries and any AppArmor denials in /var/log/audit/audit.log to isolate the originating change.
Quick Triage
Quick triage: run systemctl status perl-File-Find-Rule, journalctl -u perl-File-Find-Rule -n 200, zypper patch-check, zypper lp, firewall-cmd --list-all, and aa-status. If AppArmor is in enforce mode, capture journalctl -k | grep apparmor to surface denials linked to perl-File-Find-Rule — vulnerability — patch and remediation guide.
Step-by-Step Diagnosis
1) Confirm symptom with systemctl --failed. 2) Inspect logs: journalctl -xe and journalctl -u perl-File-Find-Rule. 3) Validate firewall: firewall-cmd --list-all-zones. 4) Check AppArmor: aa-status and journalctl -k | grep apparmor. 5) Verify package integrity: rpm -V perl-File-Find-Rule and zypper verify. 6) Correlate findings with zypper history, /var/log/zypp/history, and SUSE advisory RHSA-2025:9517 to pin the change that introduced perl-File-Find-Rule — vulnerability — patch and remediation guide.
Solution – Primary Fix
Primary fix for perl-File-Find-Rule — vulnerability — patch and remediation guide: apply the corrective zypper transaction described in SUSE advisory RHSA-2025:9517, reload the affected systemd unit, and reconcile firewalld and AppArmor state. Typical commands: sudo zypper ref, sudo zypper -n patch or sudo zypper -n update perl-File-Find-Rule, sudo systemctl daemon-reload, sudo systemctl restart perl-File-Find-Rule, then rpm -q perl-File-Find-Rule to validate the new build is installed. For kernel advisories add sudo systemctl reboot or schedule a Live Patch (kgraft/klp) where covered by your SUSE subscription.
Need help rolling this patch across a SUSE fleet? Our IT Solutions & Services team manages SUSE patch windows with zero-downtime change controls. Get in touch for a free consultation.
Solution – Alternative Approaches
Alternatives include rolling back the offending transaction with sudo zypper history --rollback <id> (Btrfs Snapper snapshots make this safe on SLES 15), locking the package via sudo zypper al perl-File-Find-Rule, switching firewalld backends between nftables and iptables in /etc/firewalld/firewalld.conf, or temporarily disabling the AppArmor profile with sudo aa-disable /etc/apparmor.d/usr.sbin.perl-File-Find-Rule to confirm policy is the cause before authoring a custom profile. Where Live Patching is licensed, klp patches applies kernel fixes without reboot.
Verification & Acceptance Criteria
Acceptance: rpm -q perl-File-Find-Rule shows the expected fixed version, systemctl is-active perl-File-Find-Rule returns active, journalctl -u perl-File-Find-Rule --since "5 minutes ago" shows no errors, zypper patch-check reports zero open patches for this advisory, firewall-cmd --list-services includes the required services, aa-status reports the intended profile mode, and the original reproduction steps for perl-File-Find-Rule — vulnerability — patch and remediation guide no longer trigger the failure across two consecutive runs.
Rollback Plan
Capture state with zypper history list, snapper list, and rpm -qa > /root/rpm-pre.txt before any change. To revert, run sudo snapper undochange <pre>..<post> on Btrfs deployments or sudo zypper install --oldpackage perl-File-Find-Rule-<old-version> and reload systemctl daemon-reload. Remove custom AppArmor profiles with sudo apparmor_parser -R. Reboot if the kernel or initramfs was changed and re-verify symptoms.
Prevention & Hardening
Prevent recurrence by enabling automatic security patches with zypper-automatic or YaST > Online Update Configuration, subscribing to the SUSE-SU mailing list, mirroring through SUSE Manager / RMT for controlled rollouts, version-locking sensitive packages with zypper al, and monitoring file integrity with aide --check. Apply CIS SLES 15 hardening, enable Snapper rollbacks on Btrfs root, and where supported enable SUSE Live Patching so future advisories like this can be remediated without reboot.
Related Errors & Cross-Refs
Related issues that commonly surface alongside perl-File-Find-Rule — vulnerability — patch and remediation guide: zypper transaction lock contention, systemd unit ordering cycles, AppArmor denials in journalctl -k, firewalld zone drift, and kernel taint flags shown by cat /proc/sys/kernel/tainted. See sibling common-problem articles in this SLES 15 series for adjacent failure modes.
View all sles-15 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Primary reference: SUSE advisory RHSA-2025:9517 (see also SUSE bugzilla). Supporting docs: SUSE Linux Enterprise Server Administration Guide, man zypper, man systemctl, man firewall-cmd, man aa-status, man snapper, man journalctl, the SUSE patch finder at suse.com/patches/, and the SUSE Live Patching documentation. Review /usr/share/doc/packages/perl-File-Find-Rule/ for component-level notes implicated in perl-File-Find-Rule — vulnerability — patch and remediation guide.
