Anolis OS update for curl
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-32206 CVE-2022-32208 |
| CWE-ID | CWE-400 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system libcurl-minimal Operating systems & Components / Operating system package or component libcurl-devel Operating systems & Components / Operating system package or component libcurl Operating systems & Components / Operating system package or component curl Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU64682
Risk: Medium
CVSSv4.0: 4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32206
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure processing of compressed HTTP responses. A malicious server can send a specially crafted HTTP response to curl and perform a denial of service attack by forcing curl to spend enormous amounts of allocated heap memory, or trying to and returning out of memory errors.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
libcurl-minimal: before 7.61.1-22
libcurl-devel: before 7.61.1-22
libcurl: before 7.61.1-22
curl: before 7.61.1-22
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:libcurl-minimal:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:libcurl-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:libcurl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:curl:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0655
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU64685
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32208
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to improper handling of message verification failures when performing FTP transfers secured by krb5. A remote attacker can perform MitM attack and manipulate data.
Install updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
libcurl-minimal: before 7.61.1-22
libcurl-devel: before 7.61.1-22
libcurl: before 7.61.1-22
curl: before 7.61.1-22
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:a:openanolis:libcurl-minimal:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:libcurl-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:libcurl:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:a:openanolis:curl:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0655
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
