In the ever-evolving landscape of cybersecurity, staying ahead of vulnerabilities and ensuring the safety of your digital assets is paramount. This week, the cURL project, under the stewardship of Daniel Stenberg, announced an imminent release that is set to address two security vulnerabilities – CVE-2023-38545 and CVE-2023-38546. In this blog post, we will delve into the details of these vulnerabilities, what we know so far, and what you can do to protect your systems.
The Release: cURL 8.4.0
On Wednesday, October 4th, 2023, Daniel Stenberg, a core maintainer of cURL, unveiled the forthcoming release of cURL, version 8.4.0. This release is scheduled to be available on October 11th, 2023, at approximately 06:00 UTC. The primary purpose of this release is to address the two vulnerabilities mentioned above. No specific details have been revealed about the vulnerabilities themselves, adding an element of suspense to the upcoming release.
The first vulnerability, CVE-2023-38546, is classified as having low severity. Importantly, it solely impacts libcurl, which is a library that enables developers to access cURL APIs from their code. If your organization employs libcurl, you should keep an eye to the forthcoming release and ensure you apply the update accordingly.
The second vulnerability, CVE-2023-38545, is of high severity and has a more widespread impact. It affects both the cURL command-line tool and libcurl. As of now, no specific version range has been disclosed that defines the affected systems. However, the impending release of cURL 8.4.0 on October 11th will provide a solution to this high-severity issue.
What We Know About CVE-2023-38545
Despite the scarcity of detailed information, some key points have been confirmed by official sources regarding CVE-2023-38545:
It has been described as “the worst security problem found in cURL in a long time,” raising the stakes for this particular vulnerability.
While the vulnerability is severe, not all users of cURL will be affected. The maintainers have noted that a “large chunk of users” will remain unaffected, possibly due to specific attack preconditions.
The vulnerability is classified as “High” by the cURL project, though it’s worth nothing that they theoretically support designating vulnerabilities as “Critical,” which hasn’t occurred so far.
Importantly, this vulnerability will not result in any API or ABI changes in the forthcoming cURL release.
What Should You Do?
In the face of these vulnerabilities, there are several steps you can take to protect your systems:
1. Identify cURL Instances
To ensure comprehensive coverage during your update efforts, it is crucial to identify every occurrence of cURL in your organization. This can be accomplished by maintaining a Software Bill of Materials (SBOM). An SBOM is an essential tool for monitoring software components and their respective versions, helping you pinpoint areas that require updates.
2. Prepare for the cURL 8.4.0 Release
cURL 8.4.0 is set to be released on October 11, 2023, and will provide the necessary fixes for these vulnerabilities. Prepare to update your systems promptly to the new fixed version to mitigate potential risks.
3. Utilize Security Tools
JFrog Security Essentials (Xray) and JFrog Advanced Security are valuable tools that can assist in identifying every occurrence of cURL across your entire codebase. These tools can help track cURL in various forms, including Docker containers, repository packages, and standalone binaries.
Impact of cURL Vulnerability in RELIANOID
The RELIANOID Open Source Load Balancing solution, available in both Community and Enterprise Editions, remains unaffected by the CVE-2023-38545 and CVE-2023-38546 vulnerabilities because we consistently utilize the latest official packages from security repositories. To maintain the security of your RELIANOID Load Balancer, it is essential to ensure that it is regularly updated using our official repositories. It is possible to verify the versions not vulnerable by executing in the load balancer (for versions CE v5 and EE v6.2) the command below.
root@noid-ee-01:~# dpkg -l | grep curl
ii curl 7.64.0-4+deb10u6 amd64 command line tool for transferring data with URL syntax
ii libcurl3-gnutls:amd64 7.64.0-4+deb10u6 amd64 easy-to-use client-side URL transfer library (GnuTLS flavour)
ii libcurl4:amd64 7.64.0-4+deb10u6 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
More updated versions of such packages are also safe.
In summary, the upcoming release of cURL 8.4.0 is a critical milestone in addressing the vulnerabilities CVE-2023-38545 and CVE-2023-38546. Stay vigilant, prepare for the release, and use the available security tools to protect your systems. As more information becomes available, we will keep updating this blog post to provide you with the latest insights and guidance to safeguard your digital assets in an ever-changing cybersecurity landscape.
Get and enjoy the latest version of our Load Balancer Software.
We encourage you to Enjoy the Site Reliability Experience!