This Internet Backbone App Needs A Real Adjustment
While everyone uses Curl on a daily basis, not everyone needs to interface with it directly. If you are one of those who uses the ubiquitous command line data transfer tool you are going to want to update your version to Curl 8.4.0 as soon as you’ve backed up any containers that might become upset. If you don’t use Curl, or are unsure what it is, don’t panic as you are not the one that needs to install the update.
The Curl team is not disclosing what the vulnerability is, but The Register offers some clues in their coverage. The vulnerability is classed as high, indicating remote access or code execution is possible via an unpatched Curl install, and security researcher Ax Sharma’s comment that it targets “docker base images that aren’t receiving updates” gives an idea of the targets.
The developers want to reassure everyone that this is not as bad as log4j, but the target app is one of the pillars the internet is built on and so we hope all the sysadmins out there will jump on this as soon as they can.