Critical CVEs affecting z/OS Curl were published recently (Oct 20th) that may impact customers of Rocket Open AddDev for Z: CVE-2023-38545 , CVE-2023-38546. We have completed new builds of Git and Curl that address these vulnerabilities that affect version 2.0.6 and may affect older versions as well. A new build of Rocket's Open AppDev for Z version 2.0.6.1 has been prepared, tested and is ready now for download from Rocket's secure conda channel server.
Other vulnerabilities fixed in this update include:
CVE-2023-35945, related to Envoy a cloud service proxy and rated at 7.5 on NIST.
CVE-2023-44487, related to HTTP/2 protocol and rated at 7.5 on NIST and, currently undergoing reanalysis.
Optional extended text:
CVE-2023-38545 is a high severity issue that affects networking capabilities. It can be exploited by malicious actors if a hostname of a SOCKS5 proxy provided to Git or libcurl or is in control of an HTTPS server that the user is directing Git or libcurl towards. If those circumstances are met an attacker could exploit a buffer overflow resulting in RCE. Given the seriousness of the issue and out of an abundance of caution, we have fixed the CVE ahead of our usual quarterly release schedule.
The issue can be mitigated for affected versions of the packages by setting the CURLOPT_BUFFERSIZE environment variable to 65541 or greater. The Curl standalone tool is not affected unless that variable is explicitly set to a lower value.
------------------------------
Jeff Cherrington
Vice-President
Rocket Internal - All Brands
------------------------------