We were informed that two vulnerabilities have been discovered in cURL. cURL is a popular open source library used to transfer data via URLs. As one of the most widely used open source projects, it is included in many standard Linux distributions. On October 11th 2023 a patch and more details will be released by the cURL project. We are awaiting further details so that we can assess the impact on myDRE and its users. We have identified the services using cURL in our infrastructure and we are actively monitoring the situation and patch release.
Security is our top priority and we are prepared to address the issue. More updates will follow once we know more.
UPDATE: 2023-10-11 @ 13:32
Vulnerable:
- Windows and Linux VMs with full internet access might be vulnerable. Versions of (lib)curl might be used in applications like Python and R. We suggest to close the full internet access until the VM can be patched. We will inform local Support Team members. Instructions for patching will follow.
Potentially vulnerable:
- VMs that make use of IP allowlisting.
- Not affected, unless
- proxy is turned off.
- pointing to SOCKS5 proxy after our firewall.
Not affected:
- VMs that make use of domain allowlisting are not affected as our squid proxy does not support SOCKS5 proxies. If you have ever requested domains to be opened for your Workspace then you are part of this category.
More sources: