You are here

Home › Curl vulnerabilities fixed in Version 7.50.1

Curl vulnerabilities fixed in Version 7.50.1

Submitted on 4. August 2016 - 11:55 by rischi.
Last update on 19. January 2017 - 14:56.
IDs: 
CVE-2016-5419, CVE-2016-5420, CVE-2016-5421
Keywords: 
curl, TLS, SSL, certificate
Description: 

Curl released a new version 7.50.1 fixing three vulnerabilities.

Airlock WAF is probably not affected.

Details:

  • CVE-2016-5419: Wrong re-use of TLS session IDs if a back-end server is configured multiple times with different client certificate settings [1].
  • CVE-2016-5420: Wrong re-use of TLS connections if a back-end server is configured multiple times with different client certificate settings [2].
  • CVE-2016-5421: Use-after-free vulnerability [3]. Airlock WAF is not affected because the library is used in a way no "use-after-free" can happen.
Resolution: 

Airlock WAF is only affected if all of the following criteria apply

  • The same HTTPS back-end host is configured in multiple back-end groups, i.e. same hostname, port and protocol HTTPS is configured in different back-end groups.
  • Client certificate authentication is configured differently for these back-end groups, e.g. one group with client certificate authentication while the other without or with a different client certificate.
  • The back-end server provides different HTTP responses depending on the client certificate. 

Please contact Airlock WAF support if all of these criteria apply to your setup.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
No action required
Reference: 
[1] TLS session resumption client cert bypass
[2] Re-using connections with wrong client cert
[3] use of connection struct after free
© Ergon Informatik AG