Curl, the versatile command-line tool and library for transferring data with URLs, has long been a linchpin in the world of networking and data communication. Curl supports a myriad of protocols, including HTTP, HTTPS, FTP, FTPS, SCP, SFTP, LDAP, and more.
Just over a week ago, Daniel Steinberg — the maintainer of the popular command line tool “curl” — announced on “X” that a high severity CVE had been discovered in curl that warranted cutting short the normal release cycle, along with a low severity CVE discovered at the same time.
He described the high severity CVE as “actually the worst security problem found in curl in a long time” in another post later that day.
On October 4, Steinberg provided this post on GitHub, but still no real information about the CVE was available publicly.
Early this morning, the details of the vulnerability became public.
It turns out that this vulnerability affects users of curl and libcurl that are using SOCKS5, a special kind of proxy protocol. Malicious actors are able to trigger the vulnerability if they can get curl to process a hostname that’s long enough to exceed curl’s download buffer. The vulnerability also requires the SOCKS handshake to take a reasonably long amount of time to complete.
Since this is a heap-based buffer overflow vulnerability, it’s difficult to know the exact worst case impact without examining specific scenarios. But any time an attacker can influence the data that’s stored in memory in ways a program’s design doesn’t account for, it’s important to be cautious and patch the software as soon as possible.
Chainguard CEO Dan Lorenc discussed the vulnerability today in a synopsis. Check out the full recording here.
This is why Chainguard Images exist
Within minutes of the patchs’ availability, the Wolfi community had shipped an updated version of curl and published new security advisory data to the world. And within the next two hours, Chainguard had updated every affected Image in the Chainguard Registry (cgr.dev), so customers and public tier users can get access to secure container images without delay.
Chainguard Images were designed with exactly this scenario in mind, which allows us to address vulnerabilities fast, sometimes even fixing before scanners are aware of the vulnerability. Our modern approach to producing packages and container images, using open source tools like melange and apko, gives us the capacity for efficient and reproducible builds at scale.
As of the time this blog post was published, many popular images remain unpatched. Chainguard Images were patched immediately once the fix was released to protect against CVE-2023-38545 and CVE-2023-38546.
What our users can expect from scanners
Different scanning solutions refresh their vulnerability data at different cadences. For example, Grype updates its data once a day at 04:00 UTC, and Trivy updates its data every six hours, starting at midnight UTC. In this case, this means Trivy will start detecting unpatched versions of curl first.
Because Chainguard published updated security data so quickly, all of our scanner integrations that support Chainguard Images will be able to confirm that you’re using the latest secure software from Chainguard as soon as their next data refresh happens.
Note: If you’re using one or more Chainguard Images as a base image for your own image, make sure to rebuild your image as soon as possible in order to pick up the patched version of curl.
Get started with Chainguard Images
According to Chainguard Labs research, popular container images, when not updated, accumulate one known vulnerability per day. Chainguard Images’ daily image rebuild policy ensures that you are using the latest, most up-to-date version of the container images you rely on to run your application.
You can try Chainguard Images for free today to see for yourself how we're working to improve the container image landscape with a secure-by-default design. Our public tier Images are available on the :latest and :latest-dev versions only. Our Images inventory is always expanding. If you need something you don’t see listed in our catalog, let us know.