Boaz Barzel
“On October 11, we will ship #curl 8.4.0, cutting the release cycle short due to the discovery of a severity HIGH security issue. Buckle up. This is probably the worst security problem found in curl in a long time.” Said Daniel Stenberg on LinkedIn and X (formerly Twitter)
Why should you care?
libcurl and curl are about to shake things up with an upcoming security alert, and it’s crucial to be prepared. Curl, a command-line tool that you run from a shell prompt or within scripts, boasting over 230 different command-line options and often scripted to mimic browsers, is available for most operating systems. Meanwhile, libcurl, a development library used in other programs, is compatible with numerous languages and operates on almost all operating systems, offering several different APIs and usage methods.
As written in the GitHub discussion, “The new version and details about the two CVEs will be published around 06:00 UTC on the release day.
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
CVE-2023-38546: severity LOW (affects libcurl only, not the tool).”
You have been given an opportunity to prepare for it and quickly respond and remediate to reduce the risk and potential damage. It is important to understand that attackers are also monitoring this and will quickly try to use the information and exploit that vulnerability.
This guide will help you plan your response and navigate through the information so that when the new version of libcurl is released, you can immediately start to remediate risks.
Step 1: Assessing the Exposure
The exact details are under wraps to prevent early exploitation, but the curl maintainers have highlighted the seriousness of the high-severity issue, marking a crucial moment for libcurl.
For now, you should map all versions of libcurl and curl and pinpoint the locations they are used. Make sure to cover your code and containers as these packages can exist in your containers’ base image. That will help you understand the potential exposure and plan accordingly.
With the OX Security Platform, all you need to do is navigate to the SBOM page and search for [curl]. It will show you all the libcurl and curl packages from your code and containers, including information on the version, whether it is actually used in code or in a container that is deployed to the cloud.
You can start free now and, in a few minutes, discover all libcurl and curl packages used in your environment.
OX Security SBOM demo screenshot with all libcurl and curl packages
Step 2: Communication and Collaboration
Let’s keep everyone informed! Ensure all stakeholders and teams are aware of the upcoming update and potential risks.
This is also a good time to prepare the communication for your customers, ensuring a transparent communication channel.
Step 3: Prepare for Updates
Determine how libcurl and curl are installed on your systems, code, and containers and identify the pathways for updates, ensuring a smooth transition once the patch is released. You might also consider removing it altogether if it is not being used by your applications.
If you are using and old version of curl or libcurl, it might be a good idea to upgrade to the latest version before the release of the patched version. By doing so, it will be easier to upgrade to the new version in less time.
Since the patch update will be released on Wednesday, October 11, at 06:00 UTC, you will want to ensure the updates are done quickly, tested, and released as soon as possible. You would not want to carry that risk through the weekend if you can solve it beforehand.
Conclusion: Let OX prepare your response, and stay tuned
The upcoming libcurl and curl update is a pivotal moment, reminding enterprises of the vital importance of a response plan for security alerts. By understanding their exposure, crafting effective communication, preparing for updates, and learning from the experience, enterprises can navigate through such security alerts with minimized impact and an enhanced security posture.
OX Security will continue to monitor this situation and provide updates as events unfold. Sign up for a free OX Security account and let OX Security help you prepare and respond. OX Security Platform will discover every usage of libcurl and curl throughout your code and containers. Once an update is shared, it will allow you to quickly respond from the same console.
Make sure you follow us on Linkedin and check back on the OX Security Blog for any developments as they occur. If you have any questions, please feel free to send an email to one of our product specialists at support@ox.security.
