Open-source Languages & Tools for z/OS

 View Only

Critical CVEs affecting z/OS Curl - 4Q 2023

  • 1.  Critical CVEs affecting z/OS Curl - 4Q 2023

    Posted 12 days ago

    Critical CVEs affecting z/OS Curl were published recently (Oct 20th) that may impact customers of Rocket Open AddDev for Z: CVE-2023-38545 , CVE-2023-38546. We have completed new builds of Git and Curl that address these vulnerabilities that affect version 2.0.6 and may affect older versions as well. A new build of Rocket's Open AppDev for Z version has been prepared, tested and is ready now for download from Rocket's secure conda channel server.<o:p></o:p>

    Other vulnerabilities fixed in this update include:<o:p></o:p>

    CVE-2023-35945, related to Envoy a cloud service proxy and rated at 7.5 on NIST.<o:p></o:p>

    CVE-2023-44487, related to HTTP/2 protocol and rated at 7.5 on NIST and, currently undergoing reanalysis.    <o:p></o:p>

    Optional extended text:<o:p></o:p>

    CVE-2023-38545 is a high severity issue that affects networking capabilities. It can be exploited by malicious actors if a hostname of a SOCKS5 proxy provided to Git or libcurl or is in control of an HTTPS server that the user is directing Git or libcurl towards. If those circumstances are met an attacker could exploit a buffer overflow resulting in RCE. Given the seriousness of the issue and out of an abundance of caution, we have fixed the CVE ahead of our usual quarterly release schedule.<o:p></o:p>

    The issue can be mitigated for affected versions of the packages by setting the CURLOPT_BUFFERSIZE environment variable to 65541 or greater. The Curl standalone tool is not affected unless that variable is explicitly set to a lower value.<o:p></o:p>

    Jeff Cherrington
    Rocket Internal - All Brands