ADVISORY: Prepare to patch high-severity vulnerability in curl and libcurl

An update to address a high-severity vulnerability in curl and libcurl, a command line tool and library for transferring data, is scheduled for release on Wednesday, October 11, 2023. To prepare for the release, identify all systems using curl and libcurl, and plan to implement the curl 8.4.0 update as soon as possible after it is released and tested.

Curl (a command-line tool) and libcurl (a client-side URL transfer library) are widely used in systems to transfer data with URLs. Although details of the vulnerability (CVE-2023-38545) have not been released yet, it is important to proactively identify affected systems so that the patch can be applied quickly.

There are no reports of the vulnerability being exploited in the wild. However, exploitation could begin quickly after vulnerability details are released.

Identify systems using curl/libcurl that are functioning as web servers or web application servers and that are exposed to access from the internet. These are likely to be at greater risk and should be prioritized for updates.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

In general, the best protection for your devices is this: keep your software, apps, and operating systems up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.