cURL vulnerability
We were informed that two vulnerabilities have been discovered in cURL. cURL is a popular open source library used to transfer data via URLs. As one of the most widely used open source projects, it is included in many standard Linux distributions. On October 11th 2023 a patch and more details will be released by the cURL project. We are awaiting further details so that we can assess the impact on myDRE and its users. We have identified the services using cURL in our infrastructure and we are actively monitoring the situation and patch release.
Security is our top priority and we are prepared to address the issue. More updates will follow once we know more.
UPDATE: 2023-10-11 @ 13:32
The patch and details of the vulnerability have been released: https://curl.se/docs/CVE-2023-38545.html. The attack surface on myDRE is rather limited. A small breakdown:
Vulnerable:
- Windows and Linux VMs with full internet access might be vulnerable. Versions of (lib)curl might be used in applications like Python and R. We suggest to close the full internet access until the VM can be patched. We will inform local Support Team members. Instructions for patching will follow.
Potentially vulnerable:
- VMs that make use of IP allowlisting.
- Not affected, unless
- proxy is turned off.
- pointing to SOCKS5 proxy after our firewall.
Not affected:
- VMs that make use of domain allowlisting are not affected as our squid proxy does not support SOCKS5 proxies. If you have ever requested domains to be opened for your Workspace then you are part of this category.
More sources:
Slightly longer read here: https://www.helpnetsecurity.com/2023/10/10/curl-vulnerabilities-cve-2023-38545/
Original source: https://github.com/curl/curl/discussions/12026
Related Articles
Low severity vulnerability in Linux VMs patch
TL;DR: We have found a low severity vulnerability in Linux VMs. It has been patched for newly created VMs. Existing VMs can be self-service patched by downloading and running the script below. What happened? While troubleshooting a Linux VM, we ...[Action needed] Low severity vulnerability in Linux VMs
While troubleshooting a Linux VM, we recently uncovered a low severity vulnerability regarding logging into Linux VMs. A fix has been deployed to patch the issue in new VMs (i.e. VMs that are newly created from now on). Users can self-service patch ...Vulnerability in Apache Log4j (CVE-2021-44228)
Background See: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Impact on anDREa and all its services Production anDREa does not use Log4J or forks in production. Impact: NONE Actions: no action needed update: 2021/12/13 Workspaces that might have ...myDRE is NOT vulnerable for CVE-2022-26809 - Serious Vulnerabilities in Microsoft Windows Workplaces and Servers
Situation Last “patch Tuesday” Microsoft disclosed and fixed a large number of serious vulnerabilities in Microsoft Windows. One of these vulnerabilities is identified as CVE-2022-26809 with a CVSS score of 9.8 (scale 1-10). CVE-2022-26809 is a ...myDRE NOT vulnerable for CVE-2021-4428 - Apache Log4J2
anDREa does not use Apache Log4J2 nor forks in production. update: 2021/12/13 Workspaces that might have installed Log4J2 on their VM(s), Windows or Linux, are not vulnerable for no Workspace is allowed to have inbound access. Read more ...