Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
July 26, 2021 - TuxCare PR Team
Continuing our trend of testing all the CVEs that come out that may affect the Linux distributions covered by our Extended Lifecycle Support, the team went to work on CVE-2021-22922 and CVE-2021-22923.
These vulnerabilities affect curl, a piece of software that has been around for many years, included as a component in multiple different applications and distributions and is just a great and useful data transfer tool. It supports different protocols, encryption mechanisms and architectures, and this versatility has even garnered it the distinction of being used outside of planet Earth. It is part of the software stack in a Martian rover.
This publicity, however, seems also to have attracted the attention of security researchers. And we’re glad they did look at it because new vulnerabilities are being discovered for curl on very old code that has been in use for decades and assumed correct for all this time. Just this week, another vulnerability was divulged, and it was present in code that’s over 20 years old. In the IT world, that is like finding a living dinosaur roaming the streets today.
Looking at CVE-2021-22922 and CVE-2021-22923, they are related to an option included in curl, “–metalink”. This feature lets a server instruct a client (in this case, curl) on alternative locations where to find a given piece of content. For example, to facilitate content distribution by pointing a client, transparently, to a mirror geographically closer to them.
It turns out that, for CVE-2021-22922, if a mirror for a given file was compromised and the file’s content replaced by something else, curl would still download the tampered file, even if it no longer matched the hash for the content that is present in the metalink list. Therefore, this flaw could lead to malicious content being downloaded, catching the user unaware.
CVE-2021-22923 describes a vulnerability around how the credentials used to download the original metalink information could be inadvertently and wrongly sent to the mirror server. This could lead to the unauthorised disclosure of said credentials.
Both vulnerabilities are not, presently, known to have public exploit code.
Additionally, the TuxCare Team has determined that the curl versions included in the supported systems under its Extended Lifecycle Support are NOT affected by these vulnerabilities, and thus do not require any patches to deal with them specifically. EL6’s curl does not have this option, and in Ubuntu it is disabled by default.
If you’re interested in knowing more about the Extended Lifecycle Support, or other TuxCare services, you can find more information here.
The TuxCare Team continues to test all the vulnerabilities so that you don’t have to – taking care of Linux’s security while you focus on your business’ needs.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...