 |
| Upcoming Curl Release to Address One of the Most Critical Security Vulnerabilities in Recent Memory |
Prepare for an imminent update: A new iteration of curl, set to launch tomorrow, is poised to rectify a pair of vulnerabilities, with lead developer Daniel Stenberg characterizing one of them as "perhaps the most critical curl security flaw in recent memory."
Curl version 8.4.0 is scheduled to drop around 0600 UTC on October 11, addressing two vulnerabilities: CVE-2023-38545, affecting both libcurl and the curl tool, and CVE-2023-38546, exclusive to libcurl.
Notably, this release introduces no alterations to the API or ABI, making the update a relatively smooth transition.
CVE-2023-38545 holds a high-severity rating. While Stenberg refrained from revealing any specific details about these vulnerabilities, he emphasized the urgency of releasing fixes promptly, truncating the typical development timeline.
Stenberg explained, "I can't disclose any information regarding which version range is impacted, as it could significantly narrow down the potential issue, so I can't do that in advance. 'The last several years' of versions is the most specific I can be."
Curl stands as a foundational internet tool, serving as a command-line file transfer utility. It is employed in command-line operations and scripts to facilitate data transfers and is integrated into various connected devices, spanning from printers to automobiles. The project team proudly claims that it acts as "the internet transfer engine for thousands of software applications in over twenty billion installations," and they add, "curl is used daily by virtually every internet-using human on the globe."
The roots of curl can be traced back to 1998, though its precursors, urlget and httpget, originated in 1996. The name "cURL" was adopted by Stenberg because it incorporates "URL," and the tool predominantly worked with URLs. It offered the playful possibility of pronouncing it as 'see URL' since the tool displayed the content of a URL. Subsequently, a backronym was coined: "Curl URL Request Library."
While an urgent fix may not be the ideal 25th-anniversary gift for the curl team, it is a necessity in the face of these vulnerabilities.
Ax Sharma, a security researcher at Sonatype, noted that the severity of this vulnerability differs from the Log4j incident, stating, "This isn't Log4j reloaded, as some are portraying it." He further clarified that curl is primarily utilized as a command-line utility, distributed through operating system packages and employed as a system-level service provider or utility. Consequently, standard OS updates should automatically address the issue. This contrasts with Log4j, which is often deeply embedded as a dependency without direct update capabilities.
Nevertheless, Sharma underscored the seriousness of this vulnerability, as indicated by its "HIGH" severity classification. He cautioned that the most vulnerable attack surface to monitor relates to Docker base images that are not receiving updates and happen to employ an application leveraging the vulnerable libcurl.
He advised, "In summary, the best approach here is to stay composed, promptly install the patched packages, and bear in mind that containers may also contain operating systems."
إرسال تعليق