The maintainers of curl, the popular command-line tool and library for transferring data with URLs, will release curl 8.4.0 on October 11, 2023. This version will include a fix for two common vulnerabilities and exposures (CVEs), one of which the curl maintainers rate as “HIGH” severity and described as “probably the worst curl security flaw in a long time.”
The CVE IDs are:
CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool)
CVE-2023-38546: severity LOW (affects libcurl only, not the tool)
Specific details of the exploit have yet to be published. We expect these details to be published when the version update becomes available.
We will continue to update this blog post as more information becomes available.
In the meantime, you can prepare ahead of exploitability details being released on October 11 by using Docker Scout to check whether you’re using the curl library as a dependency in any of the container images in your organization.
Am I vulnerable?
We anticipate that any version of curl prior to 8.4.0 will be affected by these CVEs, so now is a good time to build up a list of what you’ll need to update on October 11, 2023.
Having a dependency on curl won’t necessarily mean the exploit will be possible for your application. When more details are published, Docker Scout will surface specifics about the exploitability of this vulnerability. The first step is to understand whether your images have a dependency on curl.
Quickest way to assess all images
The quickest way to assess all images is to enable Docker Scout for your container registry.
Step 1: Enable Docker Scout
Docker Scout currently supports Docker Hub, JFrog Artifactory, and AWS Elastic Container Registry. Instructions for integrating Docker Scout with these container registries:
Integrating Docker Scout with Docker Hub
Integrating Docker Scout with JFrog Artifactory
Integrating Docker Scout with AWS Elastic Container Registry
Note: If your container registry isn’t supported right now, you’ll need to use the local evaluation method via the CLI, described later.
Step 2: Select the repositories you want to analyze and kick off an analysis
Docker Scout analyzes all local images by default, but to analyze images in remote repositories, you need to enable Docker Scout image analysis. You can do this from Docker Hub, the Docker Scout Dashboard, and CLI. Find out how in the overview guide.
Sign in to your Docker account with the docker login command or use the Sign in button in Docker Desktop.
Use the Docker CLI docker scout repo enable command to enable analysis on an existing repository:
$ docker scout repo enable –org <org-name> <org-name>/scout-demo
Step 3: Visit scout.docker.com
On the scout.docker.com homepage, find the policy card called No vulnerable version of curl and select View details (Figure 1).
Figure 1: Docker Scout dashboard with the policy card that will help identify if and where the vulnerable version of curl exists.
The resulting list contains all the images that violate this policy — that is, they contain a version of curl that is likely to be susceptible to the HIGH severity CVE (CVE-2023-38545) listed above.
Figure 2: Docker Scout showing list of images that violate the policy by containing affected versions of the curl library.
Alternative CLI method
An alternative method is to use the Docker Scout CLI to analyze and evaluate local container images.
You can use the docker scout policy command to evaluate images against Docker Scout’s built-in policies on the command line, including the No vulnerable version of curl.
docker scout policy [IMAGE] –org [ORG]
Figure 3: Docker Scout showing the results of running the Docker Scout command to evaluate a container image against the ‘No vulnerable version of curl’ policy.
If you’d rather understand all the CVEs identified in an individual container image, you can run the following command. This method doesn’t require you to enable Docker Scout in your container registry but will take a little longer if you have a large number of images to analyze.
docker scout cves [OPTIONS] [IMAGE|DIRECTORY|ARCHIVE]
Learn more
Follow direct updates from the maintainer of curl project via the GitHub issue.
Learn more about Docker Scout at docs.docker.com/scout.
Read Announcing Docker Scout GA: Actionable Insights for the Software Supply Chain.
Quelle: https://blog.docker.com/feed/
Published by