A security flaw has been uncovered in curl, a highly-trusted command line tool used to transfer data to and from a server. This discovery, sparked by discussions on the curl GitHub repository and a thorough investigation by the Uptycs Research Team, has revealed the urgent need for an impending update related to the curl vulnerability 2023. It is crucial for users of curl and libcurl to be fully aware of these vulnerabilities, as they possess significant potential implications.
Curl's maintainer unveiled the intention to release curl 8.4.0 tomorrow, 6:00 UTC, October 11, 2023, which will address the curl vulnerability 2023 by patching two critical vulnerabilities:
Our Uptycs threat research team has been actively monitoring the situation and shares the sentiment of the curl maintainer that the HIGH severity flaw is, in essence, "probably the worst curl security flaw in a long time."
The choice of delaying the release was scrutinized by the community. The maintainer's rationale includes:
Our research at Uptycs shows that a vulnerability of this scale in libcurl can ripple through many software ecosystems. A few pressing queries include:
The latest vulnerability, especially the one rated HIGH, is deemed one of the worst cURL security flaws in a long time, impacting both the cURL tool and libcurl library.
The fix, cURL version 8.4.0, will be released tomorrow, October 11, 2023 at 6:00 UTC.
Specific version details have not been disclosed to prevent pinpointing the problem area, but the indication is that versions from the "last several years" could be impacted.
Users should immediately update to the latest version of the packages once released, restart applications/services that rely on libcurl, and rebuild container images that incorporate the affected tools.
No, there is no API nor ABI change in the upcoming curl release, so updating should not introduce compatibility issues.
Yes, many Docker images incorporate their own copies of libcurl, so a significant number of rebuilds might be necessary.
Uptycs unified CNAPP & XDR platform includes a strong vulnerability management solution that can scan various workloads for vulnerabilities, including these new CVEs. Additionally, integration with tools like JIRA allows for effective tracking and remediation.
Generally, anything that uses libcurl could potentially be affected, assuming specific conditions apply and a vulnerable libcurl version is used. Specific determinations would require closer examination post-release.
Security is a constantly shifting landscape. Tools like curl, though trustworthy, are not immune to vulnerabilities. Our shared responsibility as a community is to act promptly when such issues arise. At Uptycs, our team remains committed to providing you with the latest insights to navigate these challenges safely.
Stay tuned for further updates from Uptycs.