As a user of the SeNtinel Application Platform (SNAP-V9) for evaluating Sentinel data in our agency, I have the following question about the following warning from the warning and information service of CERT Nord, it says:
“… based on information on heise.de and also in other sources (see links below) we would like to forward a recommendation from the Dataport SOC. Unfortunately, no details of the vulnerability are currently known, but the founder of the cURL project describes the vulnerability as “the worst security hole in a long time. The cURL and libcurl components are widespread and used in many applications. cURL is a tool used by numerous applications to execute web requests.”
Report on heise.de
cURL: Infos zu "schlimmster Sicherheitslücke seit Langem" kommen am 11. Oktober | heise online
Blog post from security service provider Qualys:
Notes from the service provider Tenable:
Through scanning our systems, cURL files and its libcurl library also appeared in SNAP (version not recognized?).
Now the question is, how do you deal with this problem? How secure is the SNAP application? When will a corresponding update come?
The following information is also available:
Distributor: all CISOs, all ISBs of all sponsoring countries, municipalities and service providers
Topic: Announcing an updated version of the cURL component regarding CVE-2023-38545
Affected components: cURL < 8.4 and libcurl
CVE: CVE-2023-38545
CVSS: not yet known, announced as critical Threat situation
Source: heise.de, as well as other sources
TLP: Clear
Patch: The update for cURL and libcurl will be available from October 11th, 2023 at 8:00 a.m.
Best regards
Ronny Lehmann