Advisory: curl high severity vulnerability

← Back to Security Advisories Overview
Informational
CVE(s)
CVE-2023-38545
Updated:
Product(s)
Cloud Optix
Intercept X Endpoint
Intercept X for Server
SafeGuard Enterprise (SGN)
Sophos Central
Sophos Connect Client 2.0
Sophos Email
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Publication ID: sophos-sa-20231023-curl-vuln
Article Version: 1
First Published:
Workaround: No

Overview

On Wednesday October 11, 2023, the curl project released version 8.4.0 containing a fix for a high severity vulnerability.

Curl is both a library and command line utility for making arbitrary web requests and is used by a very large number of applications. The vulnerability primarily affects the libcurl library, whereas the curl tool is only affected when the user sets certain options related to rate limiting.

Libcurl is a very versatile networking library. As a result, a very large number of applications are potentially affected by this vulnerability.

Patches for curl

The fix is included in version 8.4.0 and newer versions, and can be downloaded here: https://curl.se/download.html

The code change of the fix can be reviewed here: https://github.com/curl/curl/commit/fb4415d8aee6c1

What Sophos products are affected?

Sophos is reviewing and patching all affected applications and services as part of its incident response process.

Product or Service

Status

Description

Cloud Optix

Not affected

Vulnerable code cannot be controlled by adversary

PureMessage Exchange

Not affected

Component not present

PureMessage Unix

Not affected

Component not present

SafeGuard Enterprise (SGN)

Not affected

Vulnerable code not present

SG UTM (all versions)

Not affected

Vulnerable code not present

Sophos Central

Not affected

Vulnerable code cannot be controlled by adversary

Sophos Endpoint protection (Windows)

Not affected

Component not present

Sophos Endpoint protection (macOS)

Not affected

Component not present

Sophos Endpoint protection (Linux)

Not affected

Vulnerable code cannot be controlled by adversary

Sophos Email

Not affected

Vulnerable code not present

Sophos Enterprise Console (SEC)

Not affected

Component not present

Sophos Firewall (all versions)

Not affected

Vulnerable code not in execute path

SophosConnect client

Not affected

Component not present

Sophos Home (Windows)

Not affected

Component not present

Sophos Home (macOS)

Not affected

Component not present

Sophos Mobile

Not affected

Component not present

Sophos Mobile EAS Proxy

Not affected

Component not present

Sophos Mobile Control app (iOS + Android)

Not affected

Component not present

Sophos Intercept X for Mobile app (iOS + Android)

Not affected

Vulnerable code not in execute path

Sophos Secure Email app (iOS + Android)

Not affected

Component not present

Sophos Secure Workspace app (iOS + Android)

Not affected

Component not present

Sophos Chrome Security

Not affected

Component not present

Sophos PhishThreat

Not affected

Vulnerable code not present

Sophos RED

Not affected

Vulnerable code not in execute path

Sophos AP/APX

Not affected

Vulnerable code not in execute path

Sophos Wireless

Not affected

Vulnerable code not in execute path

Sophos Switch 

Not affected

Vulnerable code not in execute path

Sophos Central Managed APX

Not affected

Vulnerable code not in execute path

SAV DI

Not affected

Vulnerable code not in execute path

SUSI 

Affected

Fix in SUSI v2.4 (expected in CQ4)

AV Engine (all platforms)

Not affected

Vulnerable code cannot be controlled by adversary

Related Information