Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,398 questions
Update cURL 7.88.1 Windows Server
Saeed Ramirez
95
Reputation points
Hello, I appreciate your support with the following:
Until the day of this post, our vulnerability detection tool has detected the curl 7.87.0 version on the network as vulnerable, which appears in most windows server operating systems in an integrated way.
Currently, the updated version 7.88.1 appears on the official curl page, but he was unable to find the appropriate method to update the curl program.
I would appreciate it if you could provide me with the correct method for updating the program or if you have information on the patch/update of the operating system that will address this vulnerability.
Thank you!
{count} votes
-
Tom Allwood 0 Reputation points
2023-03-04T06:54:30.3766667+00:00 The vulnerable version of curl is installed on all windows 10/11 clients as well as detected by tenable
Vulnerable version of cURL shipped with Win OS Server hence can we expect Microsoft to release a patch to include cURL version - 7.88.1.
I have downloaded the cURL latest version from cURL official website - https://curl.se/windows/ but clicking on cURL.exe in bin doesn't upgrade the older version. I am not sure that replacing the existing cURL.exe with latest cURL.exe will fix the issue or it will result in corrupting the cURL package in OS. If anyone has upgraded the cURL and it worked out, please advise.
Also, if we don't use it, how can we disable / remove it from our server. Kindly advise with links.
If the vulnerable version is shipped as part of the OS should the fixed version not be included in the monthly patch for those impacted operating systems. You should not have to go out to a third-party site to download and patch anything that is installed as part of the OS installation.
Agree with Bruce Loeffler, should be in monthly patching.
Customers are moving to core in this case Windows Server 2019 and curl it is coming up with vulnerabilities.
https://www.tenable.com/plugins/nessus/171859 is the plug-in info for this ticket. Microsoft needs to respond on the issue.
And open but not responded to question in MS github. https://github.com/MicrosoftDocs/Virtualization-Documentation/issues/1830
Sign in to comment
1 answer
Sort by: Most helpful
Hello there,
Several users have shared similar concerns and this might be addressed in upcoming security patches hopefully.
Meanwhile, it is not advised to disable it. Most vendor APIs are going to rely on curl instead of wget. It’s not that you need to be able to curl against Windows Server, it’s that it’s very likely your Windows Server will need to curl to an upstream server as part of an automation pipeline.
Tenable vulnerability scanner had flagged several of the above vulnerabilities associated with cURL
You can raise feedback to the Microsoft team. The Feedback Hub app lets you tell Microsoft about any problems you run into https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer–
Via a support ticket, Microsoft acknowledged the issue and gave a general, vague statement about fixing it in the future. My guess is that we will see this fixed in the March or April monthly patches. On the server side, this only affects Server 2019 and Server 2022.
The reply from Limitless Technologies is NOT an answer to the question/issue. Adding another app on your device in order to provide feedback to Microsoft is also not the answer. I or anyone for that matter, should not have to install an app on any of our devices to provide feedback. That should be via a website that they actually respond to.
Here we go with patches being released for another month and still they have not resolved the issue. Come on Microsoft, this should be an easy win for you. Up your game.
Sign in to comment
Activity