Highlighting the Importance of Open Source Security Through cURL Vulnerabilities
November 20, 2023
Open source is a powerful means for next-gen developers to take full advantage of development on the mainframe. Open-source software and languages like Git, cURL, Python, and Bash have become an important piece of the DevOps puzzle, helping accelerate development time in the process. But, as with any technology, security risks remain. By its very nature, open-source software presents unique security risks and vulnerabilities that need to be addressed.
Recently, a new vulnerability in cURL, an open-source tool supported within Rocket® Open AppDev for Z, was uncovered that had the potential to open users up to increased security risk. Here’s a quick look at what this vulnerability is and how Rocket Software was able to update its software and ensure customers and users remain secure.
Recently, a critical-severity heap buffer overflow vulnerability (CVE-2023-38545) was identified within cURL. With a CVSS score of 9.8 CRITICAL, this vulnerability presents an elevated risk of enabling remote code execution in applications utilizing various iterations of the cURL library.
As NIST highlights in its critical vulnerabilities and exposures (CVE) description: This flaw makes curl overflow a heap-based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. Due to this bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and, contrary to the intention, copy the too-long host name to the target buffer instead of copying just the resolved address there. More on this vulnerability and its impact can be found here.
Rocket Software Support Swiftly Patches Vulnerabilities
As part of its work capturing open-source vulnerabilities, NIST and the National Vulnerability Database (NVD) also scores the severity and impact that it can have utilizing the Common Vulnerability Scoring System (CVSS). This particular cURL vulnerability ranked at a 9.8 CVSS score, earning the categorization of critical and making it an incredibly serious risk to users.
For Rocket Software customers that are leveraging open-source tools like cURL, this critical vulnerability presents a risk to application development, particularly those that are unsupported, for up to six months after its discovery. Given the level of severity, the Rocket Software team recognized the need to act quickly to update its own open-source solutions and was able to successfully patch the vulnerability in just two days.
As organizations look for ways to effectively navigate these risks, it’s imperative that they lean on the support of a trusted and experienced technology partner to provide open-source solutions, like Open AppDev for Z, that are up-to-date with the latest security requirements.
Learn more about how Rocket Software can help keep your open-source operations secure.