Update cURL 7.88.1 Windows Server

Question

Update cURL 7.88.1 Windows Server

Saeed Ramirez 150

Hello, I appreciate your support with the following:

Until the day of this post, our vulnerability detection tool has detected the curl 7.87.0 version on the network as vulnerable, which appears in most windows server operating systems in an integrated way.

Currently, the updated version 7.88.1 appears on the official curl page, but he was unable to find the appropriate method to update the curl program.

I would appreciate it if you could provide me with the correct method for updating the program or if you have information on the patch/update of the operating system that will address this vulnerability.

Thank you!

Tom Allwood 5 Reputation points

2023-03-04T06:54:30.3766667+00:00

The vulnerable version of curl is installed on all windows 10/11 clients as well as detected by tenable
Madan D 5 Reputation points

2023-03-06T08:00:10.1966667+00:00

Vulnerable version of cURL shipped with Win OS Server hence can we expect Microsoft to release a patch to include cURL version - 7.88.1.

I have downloaded the cURL latest version from cURL official website - https://curl.se/windows/ but clicking on cURL.exe in bin doesn't upgrade the older version. I am not sure that replacing the existing cURL.exe with latest cURL.exe will fix the issue or it will result in corrupting the cURL package in OS. If anyone has upgraded the cURL and it worked out, please advise.

Also, if we don't use it, how can we disable / remove it from our server. Kindly advise with links.
Bruce Loeffler 45 Reputation points

2023-03-06T21:13:28.8533333+00:00

If the vulnerable version is shipped as part of the OS should the fixed version not be included in the monthly patch for those impacted operating systems. You should not have to go out to a third-party site to download and patch anything that is installed as part of the OS installation.
Rom 5 Reputation points

2023-03-08T04:02:47.4633333+00:00

Agree with Bruce Loeffler, should be in monthly patching.

Customers are moving to core in this case Windows Server 2019 and curl it is coming up with vulnerabilities.
TK 300 Reputation points

2023-03-08T20:58:57.3+00:00

https://www.tenable.com/plugins/nessus/171859 is the plug-in info for this ticket. Microsoft needs to respond on the issue.
160MN 1 Reputation point

2023-03-10T19:05:42.9+00:00

And open but not responded to question in MS github. https://github.com/MicrosoftDocs/Virtualization-Documentation/issues/1830
shyam singh 10 Reputation points

2023-10-04T11:33:30.1633333+00:00

i had replaced the old curl file with new one and it works fine and vulnerability gone.

3 answers

Your answer

Tom Allwood 5 Reputation points

2023-03-04T06:54:30.3766667+00:00

The vulnerable version of curl is installed on all windows 10/11 clients as well as detected by tenable
Madan D 5 Reputation points

2023-03-06T08:00:10.1966667+00:00

Vulnerable version of cURL shipped with Win OS Server hence can we expect Microsoft to release a patch to include cURL version - 7.88.1.

I have downloaded the cURL latest version from cURL official website - https://curl.se/windows/ but clicking on cURL.exe in bin doesn't upgrade the older version. I am not sure that replacing the existing cURL.exe with latest cURL.exe will fix the issue or it will result in corrupting the cURL package in OS. If anyone has upgraded the cURL and it worked out, please advise.

Also, if we don't use it, how can we disable / remove it from our server. Kindly advise with links.
Bruce Loeffler 45 Reputation points

2023-03-06T21:13:28.8533333+00:00

If the vulnerable version is shipped as part of the OS should the fixed version not be included in the monthly patch for those impacted operating systems. You should not have to go out to a third-party site to download and patch anything that is installed as part of the OS installation.
Rom 5 Reputation points

2023-03-08T04:02:47.4633333+00:00

Agree with Bruce Loeffler, should be in monthly patching.

Customers are moving to core in this case Windows Server 2019 and curl it is coming up with vulnerabilities.
TK 300 Reputation points

2023-03-08T20:58:57.3+00:00

https://www.tenable.com/plugins/nessus/171859 is the plug-in info for this ticket. Microsoft needs to respond on the issue.
160MN 1 Reputation point

2023-03-10T19:05:42.9+00:00

And open but not responded to question in MS github. https://github.com/MicrosoftDocs/Virtualization-Documentation/issues/1830
shyam singh 10 Reputation points

2023-10-04T11:33:30.1633333+00:00

i had replaced the old curl file with new one and it works fine and vulnerability gone.

Answer 1

pronichkin 26

The issue is resolved with April, 11th round of updates for all supported operating systems. (e.g., KB5025229 for Windows Server 2019, KB5025230 for Windows Server 2022.) The inbox version of curl.exe (located at %WinDir%\System32\curl.exe) has been updated to version 8.0.1 which addresses CVE-2022-43552. Note that if some other software installed curl.exe to another location, it needs to be updated separately.

Answer 2

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

5 deleted comments

Comments have been turned off. Learn more

Answer 3

Limitless Technology 44,711

Hello there,

Several users have shared similar concerns and this might be addressed in upcoming security patches hopefully.

Meanwhile, it is not advised to disable it. Most vendor APIs are going to rely on curl instead of wget. It’s not that you need to be able to curl against Windows Server, it’s that it’s very likely your Windows Server will need to curl to an upstream server as part of an automation pipeline.

Tenable vulnerability scanner had flagged several of the above vulnerabilities associated with cURL

You can raise feedback to the Microsoft team. The Feedback Hub app lets you tell Microsoft about any problems you run into https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

TK 300 Reputation points

2023-03-10T19:36:25.81+00:00

Via a support ticket, Microsoft acknowledged the issue and gave a general, vague statement about fixing it in the future. My guess is that we will see this fixed in the March or April monthly patches. On the server side, this only affects Server 2019 and Server 2022.
Bruce Loeffler 45 Reputation points

2023-03-14T18:36:38.8466667+00:00

The reply from Limitless Technologies is NOT an answer to the question/issue. Adding another app on your device in order to provide feedback to Microsoft is also not the answer. I or anyone for that matter, should not have to install an app on any of our devices to provide feedback. That should be via a website that they actually respond to.

Here we go with patches being released for another month and still they have not resolved the issue. Come on Microsoft, this should be an easy win for you. Up your game.
Shailendra kumar 1 Reputation point

2023-03-25T04:46:47.57+00:00

Microsoft release below info, in upcoming month update release this vulnerability will be mitigated.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-43552
Scott Owens 1 Reputation point

2023-03-30T13:26:18.3833333+00:00

~~That webpage returns 404 ~ Not found.~~ Update: That page is now working.

Share via

Update cURL 7.88.1 Windows Server

3 answers

Your answer