Vulnerability summary
On October 11, 2023, curl published a high severity vulnerability, CVE-2023-38545. This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake when certain options are used.
curl is a command line tool and library for transferring data with URL syntax.
How is Liferay impacted?
Liferay DXP
Liferay DXP is not affected by this vulnerability. Liferay DXP is not bundled with libcurl and Liferay DXP does not call curl with any of the affected options.
Liferay DXP Docker Images
The Liferay DXP Docker Images contain the affected curl libraries, included as a part of Ubuntu. However, Liferay DXP or scripts within the image do not call curl with any of the affected options or environment variables.
Liferay PaaS
The Liferay Cloud console is not affected by this vulnerability. However, several images are impacted:
- Liferay Docker Images contain the affected curl libraries as part of Ubuntu. Liferay DXP or scripts within the image do not call curl with any of the affected options or environment variables.
- nginx images contain the affected curl libraries.
Liferay SaaS
LIferay SaaS is not affected by this vulnerability
How can I determine if I am impacted?
Liferay Docker Images
Liferay Docker Images d5.0.46
and below contain the affected curl library.
nginx Docker Images
nginx Docker images 1.21.6
and below contain the affect curl library.
Other Systems
Use the command curl -V
to determine the version of curl on your system. Curl versions 7.69.0 through and including 8.3.0 are affected.
Will there be a formal fix for this issue?
Liferay Docker Images
Liferay has released a new version of our Liferay Docker images for the most recent Updates and Fix Packs. Please use the d5.0.47
version of any Liferay Docker image or the latest
.
nginx Docker Images
Liferay has made updated nginx Docker images available to mitigate this vulnerability, included in this release. Please use the nginx:1.21.6-5.4.0 image or above.
If using older images, you can install the new curl libraries by updating Alpine. Place the below command your dockerfile for the nginx image:
RUN apk update && apk upgrade
Questions?
Please contact your customer success manager or open a Help Center Ticket.