Hyped, maybe, but not to be neglected.
Curl and Libcurl vulnerabilities.
The latest version of the Linux curl project has been released, fixing two vulnerabilities affecting the curl tool and the libcurl library. One of the flaws is a heap-based buffer overflow vulnerability that could lead to remote code execution.
Exploitation requires a narrow set of preconditions.
CyberScoop notes that the severity of the flaw may have been overhyped before its release, since the vulnerability can only be exploited under very specific circumstances.
Nevertheless, the vulnerabilities merit attention. Johannes Ullrich, dean of research at the SANS Technology Institute, noted, “This is only a valid exploit if you take unvalidated data and create an HTTP request via a SOCKS5 proxy to a hostname created from the unvalidated data. My recommendation is to upgrade without haste. I rate the probability of this happening in actual code as very low. If you accept data, not validate it, and just blindly pass it to libraries like curl, you will likely have other problems that are easier to exploit.”
Implications of the library’s vulnerability.
Alex Ilgayev, Head of Security Research at Cycode, wrote to make the case for taking the flaw seriously. “The new vulnerability in the curl library might prove to be more challenging than the Log4j incident two years ago,” he wrote in emailed comments.
This is a counsel of prudence. “The curl project, or libcurl (the library powering curl), is one of the most popular open-source projects and is one of the foundational networking utilities in the Unix and Linux ecosystems,” Ilgayev said. “As part of cloud-native development processes, this library can be used in many ways - introducing it into the code, using it as a dependency, using it as part of the operating system bundle, using it as part of the Docker container, installed on Kubernetes cluster nodes, and many more. Before the October 11 release of the security advisory, organizations should evaluate their software delivery processes and identify where libcurl is used. This can be accomplished with the help of SCA tooling for code, container scanning, SBOM tooling, and ASPM capabilities. Those organizations not using security tools that provide transparency into their software delivery process will struggle to update this widespread vulnerability.”