Overview
On Wednesday October 11, 2023, the curl project released version 8.4.0 containing a fix for a high severity vulnerability.
Curl is both a library and command line utility for making arbitrary web requests and is used by a very large number of applications. The vulnerability primarily affects the libcurl library, whereas the curl tool is only affected when the user sets certain options related to rate limiting.
Libcurl is a very versatile networking library. As a result, a very large number of applications are potentially affected by this vulnerability.
Patches for curl
The fix is included in version 8.4.0 and newer versions, and can be downloaded here: https://curl.se/download.html
The code change of the fix can be reviewed here: https://github.com/curl/curl/commit/fb4415d8aee6c1
What Sophos products are affected?
Sophos is reviewing and patching all affected applications and services as part of its incident response process.
Product or Service | Status | Description |
|---|---|---|
Cloud Optix | Not affected | Vulnerable code cannot be controlled by adversary |
PureMessage Exchange | Not affected | Component not present |
PureMessage Unix | Not affected | Component not present |
SafeGuard Enterprise (SGN) | Not affected | Vulnerable code not present |
SG UTM (all versions) | Not affected | Vulnerable code not present |
Sophos Central | Not affected | Vulnerable code cannot be controlled by adversary |
Sophos Endpoint protection (Windows) | Not affected | Component not present |
Sophos Endpoint protection (macOS) | Not affected | Component not present |
Sophos Endpoint protection (Linux) | Not affected | Vulnerable code cannot be controlled by adversary |
Sophos Email | Not affected | Vulnerable code not present |
Sophos Enterprise Console (SEC) | Not affected | Component not present |
Sophos Firewall (all versions) | Not affected | Vulnerable code not in execute path |
SophosConnect client | Not affected | Component not present |
Sophos Home (Windows) | Not affected | Component not present |
Sophos Home (macOS) | Not affected | Component not present |
Sophos Mobile | Not affected | Component not present |
Sophos Mobile EAS Proxy | Not affected | Component not present |
Sophos Mobile Control app (iOS + Android) | Not affected | Component not present |
Sophos Intercept X for Mobile app (iOS + Android) | Not affected | Vulnerable code not in execute path |
Sophos Secure Email app (iOS + Android) | Not affected | Component not present |
Sophos Secure Workspace app (iOS + Android) | Not affected | Component not present |
Sophos Chrome Security | Not affected | Component not present |
Sophos PhishThreat | Not affected | Vulnerable code not present |
Sophos RED | Not affected | Vulnerable code not in execute path |
Sophos AP/APX | Not affected | Vulnerable code not in execute path |
Sophos Wireless | Not affected | Vulnerable code not in execute path |
Sophos Switch | Not affected | Vulnerable code not in execute path |
Sophos Central Managed APX | Not affected | Vulnerable code not in execute path |
SAV DI | Not affected | Vulnerable code not in execute path |
SUSI | Affected | Fix in SUSI v2.4 (expected in CQ4) |
AV Engine (all platforms) | Not affected | Vulnerable code cannot be controlled by adversary |