How can we remediate CVE-2023-38039 which is showing in lot of Windows servers?

This needs to be escalated for a response from Microsoft corporate... It is 100% unacceptable and indefensible for Microsoft to incorporate open-source code in a way that requires only Microsoft packaged updates and fixes, when Microsoft has no intention of maintaining the code they decided to incorporate! This is another example of Microsoft doing things the programming community doesn't want while ensuring Windows is more vulnerable than ever before.

If Microsoft won't meet industry-standard patching deadlines, STOP INCORPORATING MORE OPEN SOURCE CODE into the OS but REQUIRING MS PACKAGED FIXES!

This is exactly like the old Macromedia Flash problem. STOP IT.

I highly recommend against any attempt to manually update the embedded Windows curl files. Replacing them changes the file hash that Microsoft expects to see when curl is addressed in a cumulative update. The entire update will fail to install.

This advice is based on personal experience with the previous curl finding in Tenable.

It's frustrating to see that the October 2023 updates did not include remediation for CURL vulnerability. If Microsoft does not have skillset and expertise with open source products to provide remediation steps for High vulnerabilities then I think they should stop shipping it with their Windows OS. I hope the Developers acts ASAP on the challenges faced by the Admins and the support teams with CURL vulnerability. Thanks.

where do you see this categorized as a medium? we have it prevelantly through our entire environment and CVE-2023-38039 is a high and about to breach the 30 day discovery and it was not addressed in the October patch release.

https://nvd.nist.gov/vuln/detail/CVE-2023-38039