CVE-2021-22897 - log back

CVE-2021-22897 edited at 29 May 2021 18:35:00
Description
A security issue has been found in curl before version 7.77.0. libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
+
+ This flaw can only trigger when Schannel is used, which is the native TLS library in Microsoft Windows.
CVE-2021-22897 edited at 26 May 2021 10:20:30
Severity
- Unknown
+ Low
Remote
- Unknown
+ Remote
Type
- Unknown
+ Incorrect calculation
Description
+ A security issue has been found in curl before version 7.77.0. libcurl lets applictions specify which specific TLS ciphers to use in transfers, using the option called CURLOPT_SSL_CIPHER_LIST. The cipher selection is used for the TLS negotation when a transfer is done involving any of the TLS based transfer protocols libcurl supports, such as HTTPS, FTPS, IMAPS, POP3S, SMTPS etc.
+
+ Due to a mistake in the code, the selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly.
References
+ https://curl.se/docs/CVE-2021-22897.html
+ https://github.com/curl/curl/commit/bbb71507b7bab52002f9b1e0880bed6a32834511
Notes
+ Workaround
+ ==========
+
+ The issue can be mitigated by avoiding the use of CURLOPT_SSL_CIPHER_LIST.
CVE-2021-22897 created at 26 May 2021 10:18:20
Severity
+ Unknown
Remote
+ Unknown
Type
+ Unknown
Description
References
Notes