A security flaw has been uncovered in curl, a highly-trusted command line tool used to transfer data to and from a server. This discovery, sparked by discussions on the curl GitHub repository and a thorough investigation by the Uptycs Research Team, has revealed the urgent need for an impending update related to the curl vulnerability 2023. It is crucial for users of curl and libcurl to be fully aware of these vulnerabilities, as they possess significant potential implications.
The unfolding situation
Curl's maintainer unveiled the intention to release curl 8.4.0 tomorrow, 6:00 UTC, October 11, 2023, which will address the curl vulnerability 2023 by patching two critical vulnerabilities:
- A HIGH severity flaw (CVE-2023-38545) affecting both the curl tool and libcurl.
- A LOW severity flaw (CVE-2023-38546) impacting only libcurl.
Our Uptycs threat research team has been actively monitoring the situation and shares the sentiment of the curl maintainer that the HIGH severity flaw is, in essence, "probably the worst curl security flaw in a long time."
The decision behind the release date
The choice of delaying the release was scrutinized by the community. The maintainer's rationale includes:
- Detailed vulnerability assessment: Allowing more time for a thorough understanding of the issue.
- Patch readiness for distributors: Providing distributors adequate time to prepare their versions.
- Increasing community awareness: Informing the user base before the significant update.
- Schedule adherence: Matching the update with routine release days and personal commitments.
Our research at Uptycs shows that a vulnerability of this scale in libcurl can ripple through many software ecosystems. A few pressing queries include:
- Impact on derivatives: Tools derived from curl, like pycurl, can inherit this vulnerability.
- Vulnerable versions: Determining which past versions are vulnerable can aid in impact assessment.
Immediate steps to consider
- Update without delay: Upon the release of the patches, immediately update to curl 8.4.0.
- Conduct a system audit: If libcurl is embedded in your applications, review its usage for potential exposure.
- Continuous monitoring: Regularly check the official curl GitHub repository and Uptycs' research blogs for the latest developments.
FAQs regarding the cURL and libcurl vulnerability and the upcoming security update
1. What is the primary concern with the latest cURL and libcurl vulnerability?
The latest vulnerability, especially the one rated HIGH, is deemed one of the worst cURL security flaws in a long time, impacting both the cURL tool and libcurl library.
2. When will the fix for this vulnerability be released?
The fix, cURL version 8.4.0, will be released tomorrow, October 11, 2023 at 6:00 UTC.
3. Which versions of cURL and libcurl are affected by this vulnerability?
Specific version details have not been disclosed to prevent pinpointing the problem area, but the indication is that versions from the "last several years" could be impacted.
4. How can users protect their systems against these vulnerabilities?
Users should immediately update to the latest version of the packages once released, restart applications/services that rely on libcurl, and rebuild container images that incorporate the affected tools.
5. Will the security update affect existing integrations or setups due to API or ABI changes?
No, there is no API nor ABI change in the upcoming curl release, so updating should not introduce compatibility issues.
6. Are Docker images and other similar entities at risk?
Yes, many Docker images incorporate their own copies of libcurl, so a significant number of rebuilds might be necessary.
7. What is Uptycs' role in helping address this vulnerability?
Uptycs unified CNAPP & XDR platform includes a strong vulnerability management solution that can scan various workloads for vulnerabilities, including these new CVEs. Additionally, integration with tools like JIRA allows for effective tracking and remediation.
8. Will tools or systems that utilize libcurl, like pycurl, be affected by this vulnerability?
Generally, anything that uses libcurl could potentially be affected, assuming specific conditions apply and a vulnerable libcurl version is used. Specific determinations would require closer examination post-release.
Security is a constantly shifting landscape. Tools like curl, though trustworthy, are not immune to vulnerabilities. Our shared responsibility as a community is to act promptly when such issues arise. At Uptycs, our team remains committed to providing you with the latest insights to navigate these challenges safely.
Stay tuned for further updates from Uptycs.