ADVISORY: Prepare to patch high-severity vulnerability in curl and libcurl

10/10/2023
Dark blue background with a white computer icon. On its screen is an exclamation mark.

See the update to this advisory. This message is intended for U-M IT staff who are responsible for any systems that utilize curl and libcurl.

Summary

An update to address a high-severity vulnerability in curl and libcurl, a command line tool and library for transferring data, is scheduled for release on Wednesday, October 11, 2023. To prepare for the release, identify all systems using curl and libcurl, and plan to implement the curl 8.4.0 update as soon as possible after it is released and tested.

Problem

Curl (a command-line tool) and libcurl (a client-side URL transfer library) are widely used in systems to transfer data with URLs. Although details of the vulnerability (CVE-2023-38545) have not been released yet, it is important to proactively identify affected systems so that the patch can be applied quickly.

Threats

There are no reports of the vulnerability being exploited in the wild. However, exploitation could begin quickly after vulnerability details are released.

Affected Versions

The “last several years” of curl versions.

Action Items

Identify systems using curl/libcurl that are functioning as web servers or web application servers and that are exposed to access from the internet. These are likely to be at greater risk and should be prioritized for updates.

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

In general, the best protection for your devices is this: keep your software, apps, and operating systems up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious EmailSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

 

 This was originally posted on the ITS Safe Computing website.